Moonlight maze back from the dead, powering modern Turla malware

News by Rene Millman

An ancient infected server, analysed by researchers at King's College London and Kaspersky Lab, has uncovered possible links between Turla and Moonlight Maze.

Kaspersky Lab and King's College London researchers, looking for a link between a modern threat actor and the Moonlight Maze attacks that targeted the Pentagon, NASA and more in the late 1990s, have unearthed samples, logs and artefacts belonging to the ancient APT.

According to investigations by security researchers, a backdoor used in 1998 by Moonlight Maze to tunnel information out of victim networks connects to a backdoor used by Turla in 2011 and possibly as recently as 2017.

The researchers said that if a link between Turla and Moonlight Maze is proven, it would place the evolved threat actor alongside the Equation Group in terms of its longevity, as some of Equation's command-and-control servers date back to 1996.

Thomas Rid of King's College London tracked down a former system administrator whose organisation's server had been hijacked as a proxy by the Moonlight Maze attackers. This server, ‘HRTest', had been used to launch attacks on the US.

The now-retired IT professional kept the original server and copies of everything relating to the attacks and handed it to King's College and Kaspersky Lab for further analysis.

Kaspersky Lab researchers, Juan Andres Guerrero-Saade and Costin Raiu, together with Thomas Rid and Danny Moore from King's College, spent nine months undertaking a detailed technical analysis of these samples. They reconstructed the attacker's operations, tools and techniques, and conducted a parallel investigation to see if they could prove the claimed connection with Turla.

Moonlight Maze was an open-source Unix-based attack targeting Solaris systems, and the findings show that it made use of a backdoor based on LOKI2, created in 1996.

The code was spotted in the wild in 2011 and again this year when researchers discovered a new sample of the Penguin Turla backdoor submitted from a system in Germany. Penguin Turla is based on LOKI2 and may have been used to attack highly secure entities that might be harder to breach using a more standard Windows toolset.

“In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyber-espionage campaign,” said Juan Andres Guerrero-Saade, senior security researcher in the Global Research and Analysis Team at Kaspersky Lab.

“We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren't going anywhere – it's up to us to defend systems with skills to match.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews