Moonlight Maze was a 1999 US government investigation into a massive data breach of classified information. It started in 1996 and affected NASA, the Pentagon, military contractors, civilian academics, the DOE, and numerous other American government agencies. By the end of 1999, the Moonlight Maze task force was composed of forty specialists from Law Enforcement, Military, and Government. The investigators claimed that if all the information stolen was printed out and stacked, it would be three times the height of the Washington monument (which is more than 550 ft tall). The Russian government was blamed for the attacks, although there was initially little hard evidence to back up the US’ accusations besides a Russian IP address that was traced to the hack. Moonlight Maze represents one of the first widely known cyber-espionage campaigns in world history. It was even classified as an Advanced Persistent Threat (a very serious designation for stealthy computer network threat actors, typically a nation state or state-sponsored group) after two years of constant assault. Although Moonlight Maze was regarded as an isolated attack for many years, unrelated investigations revealed that the threat actor involved in the attack continued to be active and employ similar methods until as recently as 2016.
Methods of Attack
The hack began with the hackers building "back doors" through which they could re-enter the infiltrated systems at will and steal further data; they also left behind tools that reroute specific network traffic through Russia. Everything they exploited during the attacks came from publicly available resources, not their own creation. In most cases, the exploits were discovered by system administrators with the intention of informing others of the vulnerabilities present in their own systems, but were instead manipulated for malicious purposes. The hackers found success since software manufacturers and maintainers were not vigilant about making sure there were no flaws in their systems. They would leave known vulnerabilities unpatched for long periods of time, sometimes as long six months to a year, neglecting any security patch cycles. This was because prior to Moonlight Maze, no-one was aware of the damage that could be done through cyber attacks since the internet was still relatively new. As a result, they were extremely vulnerable and not very difficult to infiltrate, resulting in one of the largest data breaches of classified information in history. In order to conceal their location and throw off investigators, the hackers relayed their connection through various vulnerable institutions like universities, libraries, and more since the servers they hacked could only see the last location they routed through (called proxying).
Describing the attack in testimony before Congress, James Adams, CEO of Infrastructure Defense Inc, warned that "the information was shipped over the Internet to Moscow for sale to the highest bidder" and that "The value of this stolen information is in the tens of millions, perhaps hundreds of millions of dollars." Information recovered in the hack may have included classified naval codes and data on missile-guidance systems, as well as other highly valued military data. They also stole tens of thousands of files containing technical research, military maps, U.S. troop configurations, military hardware designs, encryption techniques, and unclassified but crucial data relating to the Pentagon's war-planning, all of which could be sold to enemies of the United States. These attacks had very serious implications regarding the US’ ability to defend itself. With the information acquired from the attack, the hackers might have been able to cripple US missile defense systems and cause an unimaginable amount of damage. Juan Andres Guerrero-Saade, Senior Security Researcher at Kaspersky Lab, put it well when he said "The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match."
Connection to Turla
Turla is a Russian-language threat actor known for its covert exfiltration tactics such as the use of hijacked satellite connections, waterholing of government websites, covert channel backdoors, rootkits, and deception tactics. The group's roots trace back to the once famous Agent.BTZ, a computer virus which had the ability to replicate itself as well as to scan for and steal data. The virus was used to briefly cripple the United States Military, and was described as "the most significant breach of U.S. military computers ever" by a senior Pentagon official. This dates their rise to prominence around 2006-2007, a few years before Agent.BTZ, and almost 10 years after the events of Moonlight Maze. It was't until many years later, however, that information would come out linking Turla to Moonlight Maze. A group consisting of Kaspersky's Guerrero-Saade and Costin Raiu, and King's College London's Thomas Rid and Danny Moore was able to track down a retired IT administrator who was the owner of a 1998 server which had been used as a proxy for Moonlight Maze. This was a huge breakthrough considering the long period of presumed inactivity (almost 20 years). They then used the server to spy on the threat actor, and were able to retrieve a complete log of the attackers code, with which after almost a year of thorough analysis, they were able to find a connection between rare Linux samples used by both Turla and Moonlight Maze (the code they shared was related to a backdoor used on LOKI 2, an information tunneling program released in 1996).
- "Lodon Times--- Russian Hack DoD computers". greenspun.com. Retrieved 2019-10-15.
- Doman, Chris (2018-01-22). "The First Cyber Espionage Attacks: How Operation Moonlight Maze made history". Medium. Retrieved 2019-10-17.
- Team, SecureWorld News. "Moonlight Maze Lives On? Researchers Find 20-Year-Old Link to Current APT". www.secureworldexpo.com. Retrieved 2019-10-17.
- "Information Security: Effective Patch Management is Critical to Mitigating Software Vulnerabilities". www.govinfo.gov. Retrieved 2019-11-07.
- Adams, James (2 March 2000). "Testimony of James Adams Chief Executive Officer Infrastructure Defense, INC". Federation of American Scientists. Retrieved 17 October 2019.
- Adams, James (2001). "Virtual Defense". Foreign Affairs. 80 (3): 98–112. doi:10.2307/20050154. ISSN 0015-7120. JSTOR 20050154.
- "Defense Department Confirms Critical Cyber-attack". eWEEK. Retrieved 2019-10-17.