Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11:40 AM
Connect Directly

Russian-Speaking APT Recycles Code Used in '90s Cyberattacks Against US

Researchers discover connection between Turla cyber espionage gang and wave of attacks against US government agencies in the 1990's.

KASPERSKY SECURITY ANALYST SUMMIT 2017 -  St. Maarten -  Some security researchers long have suspected that the hacker group behind a wave of cyber espionage attacks in the mid- to late 1990's against NASA, the US military, Department of Energy, universities, and other US government agencies is the very same group known as Turla, aka Venomous Bear, Uroburos, and Snake, an especially stealthy and innovative Russian-speaking attack team that has been active since 2007. There has been no solid technical evidence to make that connection - until now.

Researchers from Kaspersky Lab and Kings College London here today announced that they have been able to connect the dots from the Moonlight Maze attackers from the '90s and the currently active Turla group, a cyber espionage team that, among other novel methods, hijacks unencrypted satellite links to help quietly exfiltrate data stolen from its victims. It appears the two groups may be one and the same, according to the researchers, which would make Turla/Moonlight Maze one of the longest-running attack groups alongside the Equation Group. They discovered that Turla has recycled and reused code it may have had in its arsenal all these years, employing an open-source, stealthy, data extraction tool-based backdoor - known today as Penquin Turla - that shares code with another backdoor they used in the '90s attack wave.

Kings College's Thomas Rid, in his 2016 book "Rise of the Machines," had already pointed out connections between the two generations of attacks, but the researchers decided to dig further and root out some technical proof. The team was able to obtain a valuable relic from the Moonlight Maze attacks: an old hijacked server one of the UK victims had saved over the past two decades since the FBI and US Department of Defense had found forensic evidence showing a link to Russian ISPs. Rid, his colleague at Kings College Daniel Moore, and Kaspersky researchers Costin Raiu and Juan Andres Guerrero-Saade then spent nine months analyzing and studying logs and artifacts from the server for clues that could more definitively prove that the '90s-era attack group lives today as Turla. The attackers that infiltrated US government and research networks back then had used the server as a proxy. The server provided the researchers a snapshot of time: 1998-1999.

Moonlight Maze exploited open-source Unix tools to target Sun Solaris-based Unix servers, which were popular back in the day in those environments. The researchers spotted the ties between the Moonlight Maze backdoor, which was based on the open-source LOKI2 program that dates back to 1996, with Penquin Turla, a Linux-based backdoor tool Kaspersky researchers first found in 2014. They found something they hadn't first noticed when they studied Penquin nearly three years ago: it also is based on LOKI2. 

Kaspersky Lab as a policy does not identify cyber espionage groups. Guerrero-Saade, senior security researcher with Kaspersky, confirmed that Turla gang's artifacts feature Russian-speaking elements and Russian IPs connecting to the attacked machine, but declined to comment on whether Turla is a Russian state actor. "We found small Russian-language artifacts and connections to Russian IPs," he says, adding that Moore concluded that the logs jibed with the Russian time zone.

Meanwhile, the researchers had plenty of logs to peruse and study from the old server, he says. "No one working on the incident [in the 1990s] ever got to see how it worked … We now have a comprehensive glimpse at how they were carrying out their operations," Guerrero-Saade says. It wasn't until 1999 that word of the FBI's investigation into the attacks leaked publicly, but most of the information surrounding the attacks has remained classified. The FBI had destroyed much of the traces of the attacks as part of its standard procedure for evidence disposal.

Among the more interesting finds in the logs, according to Guerrero-Saade, was that Moonlight Maze had accidentally trained its own attack tools against itself multiple times. The attackers inadvertently infected their own machines with their sniffer and sent their own sniffed traffic to one of the servers. "This happened several instances," he says. 

So Moonlight Maze inadvertently recorded its own live terminal sessions on its victims' servers. That information ultimately got sent back to HRtest, the UK company's old server that had been used by the attackers as a strategic relay system.

Guerrero-Saade says the team hopes to solicit help from other researchers to find further connections and clues to confirm that Moonlight Maze and Turla are one and the same. But so far, the new findings seem to back that up.

"If we are right – and I think we're in the right direction – we're talking about a 20-year-old threat actor," Guerrero-Saade says. "That would put them in the league of titans, which was only filled by the Equation Group until now."

But how times have changed for Moonlight Maze/Turla: "Moonlight Maze was trying to find its car keys in '96," he says of the group's nascent phase. Flash forward to now, with Turla able to mask a decades-old backdoor as a new one that continues to mostly evade detection. "Watching the tool evolve and it becomes one of their favorites. So they start to strip it down and add other functionality … and it becomes a main part of their arsenal."

Second Wave

Penquin Turla today is typically used in a second wave of attacks, using Unix servers as a channel for exfiltration. "I think there is a present-day security concern we need to address: How can it be that a 15-year-old backdoor is still capable of being effective on modern Linux systems," Guerrero-Saade says.

Turla long has been recognized as one of the more sophisticated and stealthy attack groups. It's constantly retooling its malware and file names, and other researchers have spotted other examples of this constant reinvention. Take Carbon, another backdoor from the Turla group. In the past three years since the creation of Carbon, researchers at ESET have identified eight active versions of this backdoor. Carbon - which Guerrero-Saade says is not related to the Penquin Turla backdoor - also has been in use by Turla for several years.

Jean-Ian Boutin, senior malware researcher at ESET, says Turla is unlike other Russian-speaking groups. "The tools they are making make more effort to stay under the radar. When information is published about them, they usually change their tactics, whereas APT 28 [aka Fancy Bear] stays on course" even if it's outed, he notes. APT 28 is thought to be the Russian GRU, its main intelligence directorate.

Another MO with Turla appears to hint at a Moonlight Maze-Turla connection, too. Turla's Carbon resembles another of its tools, the rootkit Uroburos - an older tool, according to Boutin. The two employ similar communications frameworks, with identical structures and virtual tables. The catch is, Carbon has fewer communications channels, so ESET believes it may be a light version of Uroburos, sans the kernel components and exploits. Like Kaspersky Lab, ESET doesn't attribute attacks to specific organizations.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, code execution without user confirmation was possible for untrusted projects.
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.