Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11:40 AM
Connect Directly

Russian-Speaking APT Recycles Code Used in '90s Cyberattacks Against US

Researchers discover connection between Turla cyber espionage gang and wave of attacks against US government agencies in the 1990's.

KASPERSKY SECURITY ANALYST SUMMIT 2017 -  St. Maarten -  Some security researchers long have suspected that the hacker group behind a wave of cyber espionage attacks in the mid- to late 1990's against NASA, the US military, Department of Energy, universities, and other US government agencies is the very same group known as Turla, aka Venomous Bear, Uroburos, and Snake, an especially stealthy and innovative Russian-speaking attack team that has been active since 2007. There has been no solid technical evidence to make that connection - until now.

Researchers from Kaspersky Lab and Kings College London here today announced that they have been able to connect the dots from the Moonlight Maze attackers from the '90s and the currently active Turla group, a cyber espionage team that, among other novel methods, hijacks unencrypted satellite links to help quietly exfiltrate data stolen from its victims. It appears the two groups may be one and the same, according to the researchers, which would make Turla/Moonlight Maze one of the longest-running attack groups alongside the Equation Group. They discovered that Turla has recycled and reused code it may have had in its arsenal all these years, employing an open-source, stealthy, data extraction tool-based backdoor - known today as Penquin Turla - that shares code with another backdoor they used in the '90s attack wave.

Kings College's Thomas Rid, in his 2016 book "Rise of the Machines," had already pointed out connections between the two generations of attacks, but the researchers decided to dig further and root out some technical proof. The team was able to obtain a valuable relic from the Moonlight Maze attacks: an old hijacked server one of the UK victims had saved over the past two decades since the FBI and US Department of Defense had found forensic evidence showing a link to Russian ISPs. Rid, his colleague at Kings College Daniel Moore, and Kaspersky researchers Costin Raiu and Juan Andres Guerrero-Saade then spent nine months analyzing and studying logs and artifacts from the server for clues that could more definitively prove that the '90s-era attack group lives today as Turla. The attackers that infiltrated US government and research networks back then had used the server as a proxy. The server provided the researchers a snapshot of time: 1998-1999.

Moonlight Maze exploited open-source Unix tools to target Sun Solaris-based Unix servers, which were popular back in the day in those environments. The researchers spotted the ties between the Moonlight Maze backdoor, which was based on the open-source LOKI2 program that dates back to 1996, with Penquin Turla, a Linux-based backdoor tool Kaspersky researchers first found in 2014. They found something they hadn't first noticed when they studied Penquin nearly three years ago: it also is based on LOKI2. 

Kaspersky Lab as a policy does not identify cyber espionage groups. Guerrero-Saade, senior security researcher with Kaspersky, confirmed that Turla gang's artifacts feature Russian-speaking elements and Russian IPs connecting to the attacked machine, but declined to comment on whether Turla is a Russian state actor. "We found small Russian-language artifacts and connections to Russian IPs," he says, adding that Moore concluded that the logs jibed with the Russian time zone.

Meanwhile, the researchers had plenty of logs to peruse and study from the old server, he says. "No one working on the incident [in the 1990s] ever got to see how it worked … We now have a comprehensive glimpse at how they were carrying out their operations," Guerrero-Saade says. It wasn't until 1999 that word of the FBI's investigation into the attacks leaked publicly, but most of the information surrounding the attacks has remained classified. The FBI had destroyed much of the traces of the attacks as part of its standard procedure for evidence disposal.

Among the more interesting finds in the logs, according to Guerrero-Saade, was that Moonlight Maze had accidentally trained its own attack tools against itself multiple times. The attackers inadvertently infected their own machines with their sniffer and sent their own sniffed traffic to one of the servers. "This happened several instances," he says. 

So Moonlight Maze inadvertently recorded its own live terminal sessions on its victims' servers. That information ultimately got sent back to HRtest, the UK company's old server that had been used by the attackers as a strategic relay system.

Guerrero-Saade says the team hopes to solicit help from other researchers to find further connections and clues to confirm that Moonlight Maze and Turla are one and the same. But so far, the new findings seem to back that up.

"If we are right – and I think we're in the right direction – we're talking about a 20-year-old threat actor," Guerrero-Saade says. "That would put them in the league of titans, which was only filled by the Equation Group until now."

But how times have changed for Moonlight Maze/Turla: "Moonlight Maze was trying to find its car keys in '96," he says of the group's nascent phase. Flash forward to now, with Turla able to mask a decades-old backdoor as a new one that continues to mostly evade detection. "Watching the tool evolve and it becomes one of their favorites. So they start to strip it down and add other functionality … and it becomes a main part of their arsenal."

Second Wave

Penquin Turla today is typically used in a second wave of attacks, using Unix servers as a channel for exfiltration. "I think there is a present-day security concern we need to address: How can it be that a 15-year-old backdoor is still capable of being effective on modern Linux systems," Guerrero-Saade says.

Turla long has been recognized as one of the more sophisticated and stealthy attack groups. It's constantly retooling its malware and file names, and other researchers have spotted other examples of this constant reinvention. Take Carbon, another backdoor from the Turla group. In the past three years since the creation of Carbon, researchers at ESET have identified eight active versions of this backdoor. Carbon - which Guerrero-Saade says is not related to the Penquin Turla backdoor - also has been in use by Turla for several years.

Jean-Ian Boutin, senior malware researcher at ESET, says Turla is unlike other Russian-speaking groups. "The tools they are making make more effort to stay under the radar. When information is published about them, they usually change their tactics, whereas APT 28 [aka Fancy Bear] stays on course" even if it's outed, he notes. APT 28 is thought to be the Russian GRU, its main intelligence directorate.

Another MO with Turla appears to hint at a Moonlight Maze-Turla connection, too. Turla's Carbon resembles another of its tools, the rootkit Uroburos - an older tool, according to Boutin. The two employ similar communications frameworks, with identical structures and virtual tables. The catch is, Carbon has fewer communications channels, so ESET believes it may be a light version of Uroburos, sans the kernel components and exploits. Like Kaspersky Lab, ESET doesn't attribute attacks to specific organizations.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.