Back in the 90s, in 1996, when the Internet was barely a few years old, two cyber-espionage groups dominated the cyber-space: Moonlight Maze and the Equation Group.

Their operations shocked the world and made people realize that hackers are also capable of stealing state secrets, not just money from bank accounts. That's when the term cyber-warfare became reality and not just the plot B-rated Hollywood movies.

While details collected about the Equation Group across the years have allowed researchers to issue theories on its connections with the US National Security Agency, very few details were collected about Moonlight Maze, the first ever APT.

Moonlight Maze, the first ever APT

The group was active in the late 90s and seemed to have disappeared at the turn of the century. Their attacks were studied and studied again and their mode of operation became standard practice for malware and cyber-attackers.

The group and its attacks achieved mythical status in the cyber-security world and were the subject of many books.

Through the years, Moonlight Maze hacked many important US targets such as government agencies and top universities. Victims included the Pentagon, NASA, the US Navy, and the Department of Energy, just to name the bigger ones.

Old newspaper

Moonlight Maze group evolves, investigators fall behind

For years investigators collected mountains of evidence but failed to make any headway into the investigation. They said Moonlight Maze operators stole so much information that if printed on paper it would stand three times higher than the Washington Monument. Data on all attacks was classified.

As years went by, cyber-espionage became standard practice. Multiple groups had become active, and investigators needed to focus on current-day threats. That's why all Moonlight Maze data, on which the investigation was stalling, was permanently destroyed in 2008.

The world seemingly forgot about the Moonlight Maze group, as its attacks stopped. In reality, they just developed new tools and deployed new infrastructure. Researchers were still detecting their attacks, but they didn't know it was this mythical group from the 90s.

Researchers catch a break

The mystery about Moonlight Maze's disappearance lived on until 2016 when a misredacted FOIA request revealed the name of a British sysadmin, David Hedges.

A team of investigators from King's College London and Kaspersky Lab tracked down Hedges during 2016. Their persistence was eventually rewarded, as they discovered that Hedges had kept an old Linux machine that was compromised by the Moonlight Maze group in one of their operations.

HRTest server

Called HRTest, this was a Linux server that was hacked and used as a relay point in a giant network of proxies operated by the Moonlight Maze group.

Data would travel through these proxies for countless of hops until it would reach a dropping point where attackers could download it. Unknown to the Moonlight Maze group was that Hedges discovered the intrusion.

Working with UK authorities he transformed the HRTest machine into a honeypot, sniffing all the traffic that went through. All traffic details (no actual stolen data) were logged and saved offline.

Moonlight Maze's Linux backdoor

While US authorities classified data on Moonlight Maze attacks in an attempt to safeguard the stolen data from third-party investigators, it soon became clear they didn't have the experience of security researchers working in the private sector. Investigations stalled and eventually stopped, as Moonlight Maze disappeared from the face of the Earth during the early 2000s.

In reality, the group revamped all its infrastructure after attacks in 1999 became the subject of news headlines all over the world.

They did this by slowly refashioning their attack tools, shifting from Linux tools to Windows malware. They did this progressively, still using some of their older tools, learning along the way.

One of this tools that evolved during this transition period was a Linux malware family based on the LOKI2 backdoor published in a Phrack magazine in 1997.

Despite being used in attacks for almost 17 years, Kaspersky researchers unearthed evidence of attacks with this backdoor only in 2014.

At the time they didn't knew they had discovered a tool from the Moonlight Maze group and named the backdoor Penquin Turla, assigning it to a new APT discovered in the 2000s, named Turla.

Moonlight Maze operators made mistakes

But in 2016, data from the HRTest logs that wasn't destroyed by the FBI in 2008 came to light. This data was a goldmine for researchers, a forensics "time capsule."

It also helped that Moonlight Maze operators kept their own logs, which they forgot to delete, of all the actions they took.

These and the HRTest traffic logs from 1998 and 1999 revealed not only the humongous size of the Moonlight Maze network but also operational details, including the presence of the LOKI2 backdoor.

Jaws dropped when researchers realized the implications. They just solved one of the biggest mysterious in cyber-security: "What happened to the mythical Moonlight Maze?"

The Turla connection

In a presentation at the Kaspersky Security Analyst Summit (SAS) taking place this week in St. Maarten, researchers say Moonlight Maze evolved into what today we know as the Turla APT, a Russian-speaking cyber-espionage group first spotted in 2007, which has been behind some of the advanced hacks in recent years.

The group is most famous for using malware to hijack communications satellites and spy on targets in remote areas. In reality, its arsenal of tools includes many Windows malware families and UNIX attack tools.

The connection between Moonlight Maze and Turla shows that a nation state has gathered a  group of highly-talented hackers that are breaking ground on new ways to hack into systems.

The Moonlight Gaze group was one of the first groups to launch coordinated cyber-attacks on targets across the world using the Internet, and then they shifted to using satellites in the 2010s.

What's missing is a period in the early 2000s. The same research team believes that Moonlight Maze/Turla is also the group behind a series of attacks referenced as Storm Cloud, reported in 2003. These attacks targeted the Department of Defense and also used the LOKI2 backdoor.

The hunt continues

While 100% attribution is never certain in cyber-espionage campaigns, the clues uncovered on the HRTest server revealed more insight into Moonlight Maze operations than ever before.

Kaspersky researchers are now making a public plea to other sysadmins that still have old servers running or tucked somewhere on their network. If they still have logs going back to those early days of the Internet and they have evidence the server was compromise, researchers can be reached via email.

The full Kaspersky report can be found here, IOCs are here, and YARA rules for discovering Moonlight Maze malware is here.

Related Articles:

New executive order bans mass sale of personal data to China, Russia

Russian hackers shift to cloud attacks, US and allies warn

FBI disrupts Russian Moobot botnet infecting Ubiquiti routers

Chinese Earth Krahang hackers breach 70 orgs in 23 countries

French unemployment agency data breach impacts 43 million people