Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/3/2017
11:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Russian-Speaking APT Recycles Code Used in '90s Cyberattacks Against US

Researchers discover connection between Turla cyber espionage gang and wave of attacks against US government agencies in the 1990's.

KASPERSKY SECURITY ANALYST SUMMIT 2017 -  St. Maarten -  Some security researchers long have suspected that the hacker group behind a wave of cyber espionage attacks in the mid- to late 1990's against NASA, the US military, Department of Energy, universities, and other US government agencies is the very same group known as Turla, aka Venomous Bear, Uroburos, and Snake, an especially stealthy and innovative Russian-speaking attack team that has been active since 2007. There has been no solid technical evidence to make that connection - until now.

Researchers from Kaspersky Lab and Kings College London here today announced that they have been able to connect the dots from the Moonlight Maze attackers from the '90s and the currently active Turla group, a cyber espionage team that, among other novel methods, hijacks unencrypted satellite links to help quietly exfiltrate data stolen from its victims. It appears the two groups may be one and the same, according to the researchers, which would make Turla/Moonlight Maze one of the longest-running attack groups alongside the Equation Group. They discovered that Turla has recycled and reused code it may have had in its arsenal all these years, employing an open-source, stealthy, data extraction tool-based backdoor - known today as Penquin Turla - that shares code with another backdoor they used in the '90s attack wave.

Kings College's Thomas Rid, in his 2016 book "Rise of the Machines," had already pointed out connections between the two generations of attacks, but the researchers decided to dig further and root out some technical proof. The team was able to obtain a valuable relic from the Moonlight Maze attacks: an old hijacked server one of the UK victims had saved over the past two decades since the FBI and US Department of Defense had found forensic evidence showing a link to Russian ISPs. Rid, his colleague at Kings College Daniel Moore, and Kaspersky researchers Costin Raiu and Juan Andres Guerrero-Saade then spent nine months analyzing and studying logs and artifacts from the server for clues that could more definitively prove that the '90s-era attack group lives today as Turla. The attackers that infiltrated US government and research networks back then had used the server as a proxy. The server provided the researchers a snapshot of time: 1998-1999.

Moonlight Maze exploited open-source Unix tools to target Sun Solaris-based Unix servers, which were popular back in the day in those environments. The researchers spotted the ties between the Moonlight Maze backdoor, which was based on the open-source LOKI2 program that dates back to 1996, with Penquin Turla, a Linux-based backdoor tool Kaspersky researchers first found in 2014. They found something they hadn't first noticed when they studied Penquin nearly three years ago: it also is based on LOKI2. 

Kaspersky Lab as a policy does not identify cyber espionage groups. Guerrero-Saade, senior security researcher with Kaspersky, confirmed that Turla gang's artifacts feature Russian-speaking elements and Russian IPs connecting to the attacked machine, but declined to comment on whether Turla is a Russian state actor. "We found small Russian-language artifacts and connections to Russian IPs," he says, adding that Moore concluded that the logs jibed with the Russian time zone.

Meanwhile, the researchers had plenty of logs to peruse and study from the old server, he says. "No one working on the incident [in the 1990s] ever got to see how it worked … We now have a comprehensive glimpse at how they were carrying out their operations," Guerrero-Saade says. It wasn't until 1999 that word of the FBI's investigation into the attacks leaked publicly, but most of the information surrounding the attacks has remained classified. The FBI had destroyed much of the traces of the attacks as part of its standard procedure for evidence disposal.

Among the more interesting finds in the logs, according to Guerrero-Saade, was that Moonlight Maze had accidentally trained its own attack tools against itself multiple times. The attackers inadvertently infected their own machines with their sniffer and sent their own sniffed traffic to one of the servers. "This happened several instances," he says. 

So Moonlight Maze inadvertently recorded its own live terminal sessions on its victims' servers. That information ultimately got sent back to HRtest, the UK company's old server that had been used by the attackers as a strategic relay system.

Guerrero-Saade says the team hopes to solicit help from other researchers to find further connections and clues to confirm that Moonlight Maze and Turla are one and the same. But so far, the new findings seem to back that up.

"If we are right – and I think we're in the right direction – we're talking about a 20-year-old threat actor," Guerrero-Saade says. "That would put them in the league of titans, which was only filled by the Equation Group until now."

But how times have changed for Moonlight Maze/Turla: "Moonlight Maze was trying to find its car keys in '96," he says of the group's nascent phase. Flash forward to now, with Turla able to mask a decades-old backdoor as a new one that continues to mostly evade detection. "Watching the tool evolve and it becomes one of their favorites. So they start to strip it down and add other functionality … and it becomes a main part of their arsenal."

Second Wave

Penquin Turla today is typically used in a second wave of attacks, using Unix servers as a channel for exfiltration. "I think there is a present-day security concern we need to address: How can it be that a 15-year-old backdoor is still capable of being effective on modern Linux systems," Guerrero-Saade says.

Turla long has been recognized as one of the more sophisticated and stealthy attack groups. It's constantly retooling its malware and file names, and other researchers have spotted other examples of this constant reinvention. Take Carbon, another backdoor from the Turla group. In the past three years since the creation of Carbon, researchers at ESET have identified eight active versions of this backdoor. Carbon - which Guerrero-Saade says is not related to the Penquin Turla backdoor - also has been in use by Turla for several years.

Jean-Ian Boutin, senior malware researcher at ESET, says Turla is unlike other Russian-speaking groups. "The tools they are making make more effort to stay under the radar. When information is published about them, they usually change their tactics, whereas APT 28 [aka Fancy Bear] stays on course" even if it's outed, he notes. APT 28 is thought to be the Russian GRU, its main intelligence directorate.

Another MO with Turla appears to hint at a Moonlight Maze-Turla connection, too. Turla's Carbon resembles another of its tools, the rootkit Uroburos - an older tool, according to Boutin. The two employ similar communications frameworks, with identical structures and virtual tables. The catch is, Carbon has fewer communications channels, so ESET believes it may be a light version of Uroburos, sans the kernel components and exploits. Like Kaspersky Lab, ESET doesn't attribute attacks to specific organizations.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.