Guerrero-Saade said it was "terrifying" that a 20-year-old hacking tool could still be relevant and succeed in attacks against modern operating systems and networks. Moonlight Maze attackers didn't have to take advantage of any sophisticated tricks to bypass antivirus companies or security defenses. And it's disturbing to see that old code evolve into Penguin Turla, link to old libraries, and still work against modern machines.
The evidence tying the two attack groups came from a server that was compromised during the Moonlight Maze attacks. After the compromise was detected, investigators started logging everything happening on the server, which the attackers were using as a relay server. Investigators gained full visibility into the attacks over a six-month period in 1998 and 1999, including attack logs and attack tools. A system administrator had hung onto the forensics images all these years and shared the information with the researchers.
"We uncovered a time capsule," Guerro-Saade said.
While the evidence connecting Moonlight Maze and recent Turla campaigns is solid, researchers stopped short of saying the attackers are the same group. Kaspersky Lab does not engage in attribution, but there are intriguing implications. The FBI had sent investigators to Moscow in the 1990s as part of its investigation, and the investigators came back convinced Moonlight Maze was the work of Russian state actors, said Thomas Rid, the Kings College researcher who worked with Kaspersky Lab.
Researchers plan to keep digging to find more technical evidence linking Moonlight Maze and Turla, they said.
Sign up for Computerworld eNewsletters.