A 20-YEAR OLD BACKDOOR dubbed 'Moonlight Maze' has been linked with the Turla malware family, following an in-depth code analysis by researchers at Kings College in London and security outfit Kaspersky.
Moonlight Maze targeted Pentagon and NASA systems in the late 1990s, exploiting security flaws in Sun Microsystems' (now Oracle's) Solaris Unix operating system. While some details of these attacks were publicised at the time, much of it was hushed up.
The findings of the research by Kings College and Kaspersky indicate that a backdoor used in 1998 by Moonlight Maze to tunnel information out of targeted networks connects to a backdoor used by Turla in 2011 and, possibly, this year too.
The findings show that Moonlight Maze made use of a backdoor based on LOKI2, an application from 1996 that enables users to extract data via covert channels.
This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky had discovered in 2014. Named Penquin Turla, these samples are also based on LOKI2, and the re-analysis showed that all of them use code created between 1999 and 2004.
Furthermore, the code is still being used in attacks today, claims Kaspersky.
It was spotted in the wild in 2011 when it was found in an attack on Swiss defence contractor Ruag. In March 2017, Kaspersky researchers discovered a new sample of the Penquin Turla backdoor, this time submitted from a system in Germany.
It is possible that Turla uses the old code for attacks on highly secure entities that might be harder to breach using its more standard Windows toolset, suggest the researchers.
"In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyber-espionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks," said Juan Andres Guerrero-Saade, senior security researcher at Kaspersky
"The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren't going anywhere, it's up to us to defend systems with skills to match."
As part of the research, Kaspersky and the researchers at Kings College were able to conduct forensics on a server that had been used as a proxy in the original Moonlight Maze attacks.
This server, ‘HRTest', had been used to launch attacks on the US and the now-retired IT professional responsible for it had kept it, and copies of everything relating to the attacks, making his files available to Kings College and Kaspersky for their analysis. µ
And, er, not much else
To serve, protect, and get incredibly hot and dusty
Symantec links attack to prolific Lazarus hacking group
Chinese firms drive global smartphone growth in first quarter