As the current conflict between Russia and Ukraine worsens, U.S. agencies have advised that there could be Russian malware originally designed to target Ukraine that leaks to other countries, including the U.S. and NATO allies. Russia has a long history with government-sponsored cyberattacks, starting with the first one in 1996, Moonlight Maze.
In the fall of 1999, Newsweek broke the story that the first Russian cyberattack on the U.S. was in motion. It was one of the first nation-state-sponsored cyber espionage campaigns in world history. Much of the evidence remains classified due to the significance of this groundbreaking attack and the sensitive nature of the stolen information.
The Moonlight Maze attack
Moonlight Maze was a U.S. government investigation into an enormous data breach of classified information. The attack started in 1996 and hit NASA, the Pentagon, military contractors, civilian academics, the Department of Energy (DOE) and several other American government agencies. It wasn’t discovered until the spring of 1998 when investigators found abnormal activity in restricted networks.
By the end of 1999, the U.S. had assembled a Moonlight Maze task force composed of 40 specialists from law enforcement, military and government. The investigators claimed that if all of the stolen information was printed out and stacked, it would have been three times the height of the Washington Monument.
According to a Forbes article, the attack was sophisticated for the time. The threat actors routed communications through a third-party server to avoid detection and built back doors into systems so they could go back in later to exfiltrate data. The campaign was carried out over a two-year period and was categorized as an advanced persistent threat (APT) because it was so difficult to detect.
The attack started with identifying the network address space and then scanning for vulnerabilities. Once the attackers had accomplished this, they exploited the vulnerabilities by putting a backdoor program in, which allowed them to re-enter the systems at any time. Then, they gathered and removed data, along with other probing activities that at times led to destroying files and system structures.
The Russian government was blamed for the attacks, although there was initially little hard evidence to support U.S. accusations other than an IP address in Moscow that was traced to the hack. According to a ScienceDirect report, “Michael Vatis, the director of the FBI National Infrastructure Protection Center said that the intrusions appeared to have originated in Russia, although the evidence was deemed circumstantial at best.” Later, a small cyber crime team at the Air Force Office of Special Investigations decrypted the Moonlight Maze code commands and found that the codes had been typed in Cyrillic, which helped confirm that Russia was behind the strikes.
Impact on U.S. cyber defense
According to James Adams, CEO of Infrastructure Defense Inc., “The value of this stolen information is in the tens of millions — perhaps hundreds of millions — of dollars; there’s really no way to tell. The information was shipped over the internet to Moscow for sale to the highest bidder.”
Information recovered in the hack included classified naval codes, data on missile-guidance systems and other highly valued military information. The attackers also stole tens of thousands of files that included technical research, military maps, U.S. troop configurations, military hardware designs, encryption techniques and data relating to the Pentagon’s war-planning, all of which was up for grabs to anyone willing to pay.
Whoever attained the stolen information could have crippled U.S. missile defense systems and caused an unthinkable amount of damage. This led to a re-assessment of U.S. cybersecurity practices. According to the same report from ScienceDirect, “As a result of the discovery and investigation of the attack, the Pentagon had ordered $200 million in new cryptographic equipment in addition to having upgraded its intrusion detection solutions and firewalls.”
Links to Turla
Moonlight Maze’s damage didn’t stop in the ’90s. In 2016, Kaspersky and Kings College London found logs and samples of old code from the Moonlight Maze attacks that have been linked to a more current threat actor, Turla. The researchers discovered that an open-source backdoor previously used by Moonlight Maze to steal information from victim networks was also connected to an evolved backdoor used by Turla in 2011 and possibly as recently as 2017.
While countless cyberattacks have occurred since 1996, attackers’ tactics are evolving just as fast as U.S. defenses. Moonlight Maze may have been the first Russian cyberattack on the U.S., but it won’t be the last. Threat actors from around the world have gotten more stealthy, creative and organized.
“In the late 1990s, no one foresaw the reach and persistence of a coordinated cyberespionage campaign,” said Juan Andres Guerrero-Saade, senior security researcher, Global Research and Analysis Team at Kaspersky Lab. “We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere. It’s up to us to defend systems with skills to match.”