New Evidence Links a 20-Year-Old Hack on the US Government to a Modern Attack Group
A UK company's vintage web server kept in storage for over 20 years connects the 'Moonlight Maze' attacks of the 90s to the 2000s hacker group Turla.
David Hedges' HP9000 Unix web server/Image: David Hedges
In September 1998, the US Department of Defense computer incident response team contacted a human resources company in London to say their web server had been hacked. Not only that—it had been hijacked and was being used to attack more than a thousand US government and military systems and steal massive volumes of data.
The DoD and FBI wanted to turn the server into a honeypot of sorts, and asked David Hedges, then an IT manager consulting for the company, to secretly record all the hacker's activity on the web server.
For months Hedges did just that, modifying the server slightly so the hackers wouldn't know they were being monitored, while recording their every interaction on the server from IP addresses around the world, including Moscow. To maintain secrecy and chain of custody, Hedges transferred the data via analog methods.
"My role was just as a postman, really"
"My role was just as a postman, really. Every two or three days I would download data from the server onto magneto-optical disks, which were collected by the [UK] Metropolitan Police, which sent them to the US via diplomatic [pouch]," he told Motherboard in a phone conversation from his home in the UK.
The attacks, which came to be known as Moonlight Maze—the codename US authorities gave them—are considered the first in a long line of hacks that have been attributed to the Russian government or Russian state-sponsored attackers over the years and are considered to be among the first examples of state-sponsored cyber espionage in history.
The Moonlight Maze hackers stole data pertaining to a variety of sensitive US projects, including weapons-guidance systems and naval intelligence codes, among others. This prompted an extensive counter-operation, with US investigators flying to Moscow to seek help from Russia's Ministry of Internal Affairs, in what turned out to be a fruitless endeavor.
But before that occurred, Hedges dutifully recorded the activity on his server for five months, until February 1999 when US lawmakers learned about it in a classified hearing, and someone leaked it to reporters—tipping off the attackers and bringing the activity on his server to an abrupt halt.
If the hackers went underground and continued their activity elsewhere, Hedges never knew it. That is, until last year when Thomas Rid, a professor in the Department of War Studies at King's College London, contacted him asking to look at his server.
Now that 20-year-old piece of hardware is proving to be highly valuable in that it contains evidence that may be a missing link connecting the decades-old Moonlight Maze attacks to more recent ones being perpetrated by a prolific hacking group known as Penquin Turla and Turla. The latter is a Russian-speaking group that surfaced in 2007 and is known by various other names as well, including Snake, Uroburos, Venomous Bear, and Krypton.
The evidence includes a backdoor, preserved on Hedges' machine, that has also been used by Turla. The backdoor, known as LOKI2, was used by the Moonlight Maze attackers to maintain persistence on Linux machines. It was a popular tool among various hackers in its day, after first being made available in 1996 by Phrack, a hacker magazine.
These days, it's considered a relic, except by one group—Turla, which has used a modified version of it in hacking operations. Juan Andres Guerrero-Saade, a researcher with Kaspersky Lab who has studied Turla extensively, said the group uses the backdoor as a fallback tool—if they get kicked out of the Windows systems on a network they've compromised, they use the LOKI tool to come back in through a Unix server. "It's something they kind of keep in their back pocket," he told Motherboard prior to a presentation that he and Rid gave today at Kaspersky's Security Analyst Summit held on the island of St. Maarten.
Guerrero-Saade and his colleagues are hesitant to say for certain that this proves the Moonlight Maze and Turla groups are the same. But the new information does make a compelling case that Russia's state-sponsored hackers never went away. At the very least, they are using one of the same tools that has not been popular among hackers since the 1990s and the heyday of the Moonlight Maze attacks.
"They've always done all kinds of innovative things," said Guerrero-Saade about Turla. But it would put them in an entirely different league altogether, he said, if it turns out they were active at a time when there was very little other nation-state hacking going on.
"They've always done all kinds of innovative things"
Rid has been researching the Moonlight Maze group for three years and featured the attacks in a book he published last year called Rise of the Machines. He became intrigued about a possible connection between that group and Turla after investigators who worked on the Moonlight Maze case hypothesized that the two might be connected.
Guerrero-Saade told Motherboard that the hypothesis initially didn't make sense "because all of the Turla code base starts around 2006 and 2007" and largely targets Windows machines; whereas the computers hacked in the Moonlight Maze operations a decade earlier were Solaris and Unix boxes. But when they looked at other parts of Turla code again, they noticed that the code base was actually older than they thought. "It looks like most of it was written and maintained from 1999 to 2004, which is extremely rare for malware that is being used at this time," he said.
But how to prove a connection to twenty-year-old hacks when the FBI had long since destroyed the evidence?
They found their answer to that question last year when Rid learned by chance about the role that Hedges' company played in the attacks, after the company's name got exposed in a government document that was poorly redacted. Rid contacted Hedges and found, remarkably, that Hedges still had the server (which his company had dubbed HRTest) in its original condition.
The HP9000 Unix machine, which cost more than £20,000 at the time, had been de-commissioned a year after the Moonlight Maze activity stopped. But Hedges, who retired from the company two years ago, took the server with him when he left the job.
"I was always interested in computers and held on to quite a lot of kit. And I actually thought that one day this might all come out into the open…[and that the server] might be very interesting from a history point of view," Hedges told Motherboard.
Hedges didn't look at the data at the time he recorded it—he just downloaded it and sent it off to the feds. If it wasn't for news reports about Moonlight Maze that came out months later, he never would have known the nature of what the hackers were doing, since the feds shared little information with him.
To help Rid and Kaspersky examine the data, he had to first buy an old Magneto optical drive off eBay so he could read it, then he sent it off to them for analysis last year.
"I actually thought that one day this might all come out into the open."
The artifacts they found on Hedges' server provide an interesting look at the group's early operations, showing how they improved their code and methods over time, if indeed they are the group now known as Turla.
"It's almost like archaeology; you can see the evolution of tradecraft," Rid told Motherboard. "There was a lot of handiwork involved. They didn't really use automated command-and-control at the time; they actually had to log in and move data around [manually]."
The Moonlight Maze group stripped away components that didn't work and combined tools that did to make them more potent. And unlike modern hacking operations that use a lot of automated scripts, the Moonlight Maze operators did everything in real time. They would log-in to Hedges' server in the morning and manually set up tasks to tell their malware what to do, which got populated out to all the infected machines on DoD and government networks that they controlled.
"This is hacking in the 90s, so it looks very different from what we're used to in modern operations," Guerrero-Saade said.
All of the data recovered from Hedges' server has been enlightening they said; but it's just one proxy the hackers used. Hedges' server was the launchpad to hack more than 1,000 systems, but there were other victims the Moonlight Maze group hacked through other proxies. "We have impressive historical visibility [through Hedges' server]," Guerrero-Saade said, "But it's actually humbling to sew how small it is in comparison to … this insane galaxy of victims."
Twenty years ago, investigators had no idea where their Moonlight Maze investigation would go. Rid says they still don't have full forensic evidence with all the breadcrumbs they'd like, but he's hoping that with today's revelation there might be other people holding on to decades-old evidence who will come forward.
"By making things public, more things become public," he told Motherboard.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.