KASPERSKY SECURITY ANALYST SUMMIT 2017 - St. Maarten - Some security researchers long have suspected that the hacker group behind a wave of cyber espionage attacks in the mid- to late 1990's against NASA, the US military, Department of Energy, universities, and other US government agencies is the very same group known as Turla, aka Venomous Bear, Uroburos, and Snake, an especially stealthy and innovative Russian-speaking attack team that has been active since 2007. There has been no solid technical evidence to make that connection - until now.
Researchers from Kaspersky Lab and Kings College London here today announced that they have been able to connect the dots from the Moonlight Maze attackers from the '90s and the currently active Turla group, a cyber espionage team that, among other novel methods, hijacks unencrypted satellite links to help quietly exfiltrate data stolen from its victims. It appears the two groups may be one and the same, according to the researchers, which would make Turla/Moonlight Maze one of the longest-running attack groups alongside the Equation Group. They discovered that Turla has recycled and reused code it may have had in its arsenal all these years, employing an open-source, stealthy, data extraction tool-based backdoor - known today as Penquin Turla - that shares code with another backdoor they used in the '90s attack wave.
Kings College's Thomas Rid, in his 2016 book "Rise of the Machines," had already pointed out connections between the two generations of attacks, but the researchers decided to dig further and root out some technical proof. The team was able to obtain a valuable relic from the Moonlight Maze attacks: an old hijacked server one of the UK victims had saved over the past two decades since the FBI and US Department of Defense had found forensic evidence showing a link to Russian ISPs. Rid, his colleague at Kings College Daniel Moore, and Kaspersky researchers Costin Raiu and Juan Andres Guerrero-Saade then spent nine months analyzing and studying logs and artifacts from the server for clues that could more definitively prove that the '90s-era attack group lives today as Turla. The attackers that infiltrated US government and research networks back then had used the server as a proxy. The server provided the researchers a snapshot of time: 1998-1999.
Moonlight Maze exploited open-source Unix tools to target Sun Solaris-based Unix servers, which were popular back in the day in those environments. The researchers spotted the ties between the Moonlight Maze backdoor, which was based on the open-source LOKI2 program that dates back to 1996, with Penquin Turla, a Linux-based backdoor tool Kaspersky researchers first found in 2014. They found something they hadn't first noticed when they studied Penquin nearly three years ago: it also is based on LOKI2.
Kaspersky Lab as a policy does not identify cyber espionage groups. Guerrero-Saade, senior security researcher with Kaspersky, confirmed that Turla gang's artifacts feature Russian-speaking elements and Russian IPs connecting to the attacked machine, but declined to comment on whether Turla is a Russian state actor. "We found small Russian-language artifacts and connections to Russian IPs," he says, adding that Moore concluded that the logs jibed with the Russian time zone.
Meanwhile, the researchers had plenty of logs to peruse and study from the old server, he says. "No one working on the incident [in the 1990s] ever got to see how it worked … We now have a comprehensive glimpse at how they were carrying out their operations," Guerrero-Saade says. It wasn't until 1999 that word of the FBI's investigation into the attacks leaked publicly, but most of the information surrounding the attacks has remained classified. The FBI had destroyed much of the traces of the attacks as part of its standard procedure for evidence disposal.
Among the more interesting finds in the logs, according to Guerrero-Saade, was that Moonlight Maze had accidentally trained its own attack tools against itself multiple times. The attackers inadvertently infected their own machines with their sniffer and sent their own sniffed traffic to one of the servers. "This happened several instances," he says.
So Moonlight Maze inadvertently recorded its own live terminal sessions on its victims' servers. That information ultimately got sent back to HRtest, the UK company's old server that had been used by the attackers as a strategic relay system.
Guerrero-Saade says the team hopes to solicit help from other researchers to find further connections and clues to confirm that Moonlight Maze and Turla are one and the same. But so far, the new findings seem to back that up.
"If we are right – and I think we're in the right direction – we're talking about a 20-year-old threat actor," Guerrero-Saade says. "That would put them in the league of titans, which was only filled by the Equation Group until now."
But how times have changed for Moonlight Maze/Turla: "Moonlight Maze was trying to find its car keys in '96," he says of the group's nascent phase. Flash forward to now, with Turla able to mask a decades-old backdoor as a new one that continues to mostly evade detection. "Watching the tool evolve and it becomes one of their favorites. So they start to strip it down and add other functionality … and it becomes a main part of their arsenal."
Penquin Turla today is typically used in a second wave of attacks, using Unix servers as a channel for exfiltration. "I think there is a present-day security concern we need to address: How can it be that a 15-year-old backdoor is still capable of being effective on modern Linux systems," Guerrero-Saade says.
Turla long has been recognized as one of the more sophisticated and stealthy attack groups. It's constantly retooling its malware and file names, and other researchers have spotted other examples of this constant reinvention. Take Carbon, another backdoor from the Turla group. In the past three years since the creation of Carbon, researchers at ESET have identified eight active versions of this backdoor. Carbon - which Guerrero-Saade says is not related to the Penquin Turla backdoor - also has been in use by Turla for several years.
Jean-Ian Boutin, senior malware researcher at ESET, says Turla is unlike other Russian-speaking groups. "The tools they are making make more effort to stay under the radar. When information is published about them, they usually change their tactics, whereas APT 28 [aka Fancy Bear] stays on course" even if it's outed, he notes. APT 28 is thought to be the Russian GRU, its main intelligence directorate.
Another MO with Turla appears to hint at a Moonlight Maze-Turla connection, too. Turla's Carbon resembles another of its tools, the rootkit Uroburos - an older tool, according to Boutin. The two employ similar communications frameworks, with identical structures and virtual tables. The catch is, Carbon has fewer communications channels, so ESET believes it may be a light version of Uroburos, sans the kernel components and exploits. Like Kaspersky Lab, ESET doesn't attribute attacks to specific organizations.