Target information environment
During the late 1990s, The Moonlight Maze attacks appeared as an immense form of cyber attacks directed towards the government of USA. The attackers gained access to plenty of confidential and sensitive data and files. The U.S officials immediately suspected professional state-sponsored Russian hackers as culprits who, according to them, infiltrated and further stole the private data from military contractors and universities as well as from major U.S agencies such as NASA and Department of Energy. The data was stored in the computers belonging to the U.S Department of Defense (DoD) and the hackers had access to the systems for a whole year. This major event shook the cores of Intelligence security and brought the dangers of state-sponsored hacking; specifically Russian hacking into limelight. Mr. Richard Clarke, the ex Coordinator Counterterrorism, claimed it to be a preliminary survey undertaken by the Russian military before the war. Later on, more and more attacks of the same level further deteriorated the already perforated privacy.
Another shock wave came in 2015, where again the Russian hackers allegedly penetrated the White House email network used for crucial personnel matters, matters of agreement with overseas diplomats and important schedules. A ruthless access to key networks in the Pentagon including the extensive email systems owned by the Joint Chief of Staff as well as multiple other targets were also reported to be done by the same hackers.
With the onset of 2016, the election year, things turned a horrific turn in terms of cyber operations carried out by Russia. This time, two Russian Intelligence agencies FSB and GRU at the same time were involved in gaining access to the email accounts belonging to staffers of Hillary Clinton campaign and to the networks of Democratic National Committee. As a result, the data was not only stolen but also displayed all over social media, print media and Wiki Leaks.
How did the attack work
The hackers planned the whole attack with a smart strategy of building “back doors” through which they could gain entry as many times as they want as per their wish and proceed to more stealing. Leaving behind tools for the purpose of rerouting specific network through Russia without any detection was another smart move. The interesting thing is that they did not create anything from scratch; rather the whole exploitation was done via sources available publically. Even though the system administrators discovered many exploits to expose the existing flaws in their own systems, however, it was manipulated for ill and evil purposes.
With the attack, multiple questions were raised over the efficiency of the security and the success of hackers. In Haizler’s words, “Moonlight Maze……stressed the vulnerabilities of the infosphere, in which the adversaries could not only cause disruption of service, but also could exploit sensitive information.”
The reason was the neglect and lack of vigilance by the software manufacturers about the loopholes in their systems. They often would delay the fixing of overdue technical flaws for as long as a year which gave the hackers enough time to infiltrate their systems secretly. Since the Internet and its operations were novel notions, the vulnerabilities also went unnoticed making it an easier target to commit one of the largest breaches in classified information history. Moreover, the hackers used vulnerable institutions to hide their identity like public libraries and universities to relay their connections since the servers hacked by them could only track the last location of their route which is called proxying.
The damage caused by the attack
The first and original Moonlight Maze attack left a great impact on the private functionalities of the Pentagon, NASA and the U.S. Department of Energy; to name a few. A detailed set of network proxies were utilized for the concealment of the identities of the hackers. The Moonlight Maze hackers also targeted a company in the United Kingdom; the discovery of which prompted the FBI and Scotland Yard to seek information about the whole process from their system administrators. A plan was laid out to turn this server against the hackers themselves by setting up an HR Test which could save archives, collect logs, capture pockets and monitor a user named “it”. The strategy came out as a coup for the investigation agencies who received a six month snapshot of Moonlight Maze operations from the year 1998 to 1999 via that particular relay site. Mr. James Adams, CEO of Infrastructure Defense Inc, warned that “the information was shipped over the Internet to Moscow for sale to the highest bidder” and that “the value of this stolen information is in the tens of millions, perhaps hundreds of millions of dollars.”
It was said that the retrieved information may have included crucial data on missile-guidance systems and other confidential military data and naval codes. Thousands of files incorporating hard earned technical researches, U.S Troop configurations, military maps, techniques related to encryption, hardware designs and important data relevant to Pentagon’s war planning was all stolen which could have been a major disaster since it could be sold to US oppositions and enemies.
With these attacks, the defending capability of the US was exposed and crumbled. The retrieved information was so sensitive that it could potentially destroy the US Missile defense systems completely resulting in utter damage. In the words of Juan Andres Guerrero-Saade, Senior Security Researcher at Kaspersky Lab, “The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match.
The whole procedure of tracking and finally tracing the attackers began with the unusual connection noticed by a technician at “ATI-Corp”, a specialist materials company back in 1998. The connection was being made at 3 AM on a Sunday to Wright Patterson Air Force Base from their own network and the owner of the account refused to have made any such connection that time which then led him to report it to CERTs and Air Force. Upon investigations, hints of further connections were explored either through various weaker organizations and universities (University of South Carolina, University of Cincinnati, Wright University and the like). It was also suspected that they had made the connection through a machine in Moscow directly.
Soon the investigation by FBI gained weight when it was found out that it was a synced and coordinated attack; a massive level of its kind. The attackers were predominantly proxying through small businesses and universities since they make ideal proxies for attacks due to faster network links and more legitimate traffic than a connection from Moscow. Moreover, in spite of their weaker defenses, they can have critical information and details.
Installation of the network equivalents of wire-taps at a few universities accessible to the attackers were performed. This made spying the hackers easier as they typed out their commands through which they discovered that the hackers were using standard tools (Telnet and FTP) to move through networks and steal documents without standing out.
Recently in 2016, researcher Thomas Rid of Kings College, London identified one of the system administrators whose servers had been used as a Moonlight Maze proxy. The information was given to Kings College and Kaspersky Lab by retrieving copies of log data from the compromised MM proxy host. The researched after a thorough analysis interestingly found out the code of MM being used in even recent attacks including the Turla APT (Advanced persistent threat).
Turla, a Russian-speaking threat actor, is gigantic figure in cyber espionage scenes. Bearing the names of Snake, Venomous Bear, Krypton and Uroburos, the APT group armed with a massive track record of major cyber attacks since 2007 is actively employing infiltration and deception techniques as well as diverse infection vectors. Thomas Rid further found out about the previous claim by three different investigators that the MM threat actor would eventually evolve into the modern day Turla. The idea that the Turla threat actor may be related to this historic attack piqued our interest, as substantiating this claim would effectively set it as a historical counterpart to the Equation Group in extraordinary longevity.
After a long period of inactivity and almost dumping that case into trash, this was a huge finding after two decades as they were able to find a connection between rare Linux samples used by both Turla and Moonlight Maze (the code they shared was related to a backdoor used on LOKI 2, an information tunneling program released in 1996).