Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11:40 AM
Connect Directly

Russian-Speaking APT Recycles Code Used in '90s Cyberattacks Against US

Researchers discover connection between Turla cyber espionage gang and wave of attacks against US government agencies in the 1990's.

KASPERSKY SECURITY ANALYST SUMMIT 2017 -  St. Maarten -  Some security researchers long have suspected that the hacker group behind a wave of cyber espionage attacks in the mid- to late 1990's against NASA, the US military, Department of Energy, universities, and other US government agencies is the very same group known as Turla, aka Venomous Bear, Uroburos, and Snake, an especially stealthy and innovative Russian-speaking attack team that has been active since 2007. There has been no solid technical evidence to make that connection - until now.

Researchers from Kaspersky Lab and Kings College London here today announced that they have been able to connect the dots from the Moonlight Maze attackers from the '90s and the currently active Turla group, a cyber espionage team that, among other novel methods, hijacks unencrypted satellite links to help quietly exfiltrate data stolen from its victims. It appears the two groups may be one and the same, according to the researchers, which would make Turla/Moonlight Maze one of the longest-running attack groups alongside the Equation Group. They discovered that Turla has recycled and reused code it may have had in its arsenal all these years, employing an open-source, stealthy, data extraction tool-based backdoor - known today as Penquin Turla - that shares code with another backdoor they used in the '90s attack wave.

Kings College's Thomas Rid, in his 2016 book "Rise of the Machines," had already pointed out connections between the two generations of attacks, but the researchers decided to dig further and root out some technical proof. The team was able to obtain a valuable relic from the Moonlight Maze attacks: an old hijacked server one of the UK victims had saved over the past two decades since the FBI and US Department of Defense had found forensic evidence showing a link to Russian ISPs. Rid, his colleague at Kings College Daniel Moore, and Kaspersky researchers Costin Raiu and Juan Andres Guerrero-Saade then spent nine months analyzing and studying logs and artifacts from the server for clues that could more definitively prove that the '90s-era attack group lives today as Turla. The attackers that infiltrated US government and research networks back then had used the server as a proxy. The server provided the researchers a snapshot of time: 1998-1999.

Moonlight Maze exploited open-source Unix tools to target Sun Solaris-based Unix servers, which were popular back in the day in those environments. The researchers spotted the ties between the Moonlight Maze backdoor, which was based on the open-source LOKI2 program that dates back to 1996, with Penquin Turla, a Linux-based backdoor tool Kaspersky researchers first found in 2014. They found something they hadn't first noticed when they studied Penquin nearly three years ago: it also is based on LOKI2. 

Kaspersky Lab as a policy does not identify cyber espionage groups. Guerrero-Saade, senior security researcher with Kaspersky, confirmed that Turla gang's artifacts feature Russian-speaking elements and Russian IPs connecting to the attacked machine, but declined to comment on whether Turla is a Russian state actor. "We found small Russian-language artifacts and connections to Russian IPs," he says, adding that Moore concluded that the logs jibed with the Russian time zone.

Meanwhile, the researchers had plenty of logs to peruse and study from the old server, he says. "No one working on the incident [in the 1990s] ever got to see how it worked … We now have a comprehensive glimpse at how they were carrying out their operations," Guerrero-Saade says. It wasn't until 1999 that word of the FBI's investigation into the attacks leaked publicly, but most of the information surrounding the attacks has remained classified. The FBI had destroyed much of the traces of the attacks as part of its standard procedure for evidence disposal.

Among the more interesting finds in the logs, according to Guerrero-Saade, was that Moonlight Maze had accidentally trained its own attack tools against itself multiple times. The attackers inadvertently infected their own machines with their sniffer and sent their own sniffed traffic to one of the servers. "This happened several instances," he says. 

So Moonlight Maze inadvertently recorded its own live terminal sessions on its victims' servers. That information ultimately got sent back to HRtest, the UK company's old server that had been used by the attackers as a strategic relay system.

Guerrero-Saade says the team hopes to solicit help from other researchers to find further connections and clues to confirm that Moonlight Maze and Turla are one and the same. But so far, the new findings seem to back that up.

"If we are right – and I think we're in the right direction – we're talking about a 20-year-old threat actor," Guerrero-Saade says. "That would put them in the league of titans, which was only filled by the Equation Group until now."

But how times have changed for Moonlight Maze/Turla: "Moonlight Maze was trying to find its car keys in '96," he says of the group's nascent phase. Flash forward to now, with Turla able to mask a decades-old backdoor as a new one that continues to mostly evade detection. "Watching the tool evolve and it becomes one of their favorites. So they start to strip it down and add other functionality … and it becomes a main part of their arsenal."

Second Wave

Penquin Turla today is typically used in a second wave of attacks, using Unix servers as a channel for exfiltration. "I think there is a present-day security concern we need to address: How can it be that a 15-year-old backdoor is still capable of being effective on modern Linux systems," Guerrero-Saade says.

Turla long has been recognized as one of the more sophisticated and stealthy attack groups. It's constantly retooling its malware and file names, and other researchers have spotted other examples of this constant reinvention. Take Carbon, another backdoor from the Turla group. In the past three years since the creation of Carbon, researchers at ESET have identified eight active versions of this backdoor. Carbon - which Guerrero-Saade says is not related to the Penquin Turla backdoor - also has been in use by Turla for several years.

Jean-Ian Boutin, senior malware researcher at ESET, says Turla is unlike other Russian-speaking groups. "The tools they are making make more effort to stay under the radar. When information is published about them, they usually change their tactics, whereas APT 28 [aka Fancy Bear] stays on course" even if it's outed, he notes. APT 28 is thought to be the Russian GRU, its main intelligence directorate.

Another MO with Turla appears to hint at a Moonlight Maze-Turla connection, too. Turla's Carbon resembles another of its tools, the rootkit Uroburos - an older tool, according to Boutin. The two employ similar communications frameworks, with identical structures and virtual tables. The catch is, Carbon has fewer communications channels, so ESET believes it may be a light version of Uroburos, sans the kernel components and exploits. Like Kaspersky Lab, ESET doesn't attribute attacks to specific organizations.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue ...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation com...
PUBLISHED: 2021-01-15
Multiple authenticated remote command executions are possible in Airwave Glass before 1.3.3 via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root on the underlying host operating system.
PUBLISHED: 2021-01-15
There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system.
PUBLISHED: 2021-01-15
There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system.