About a year ago, the two-decade-old trail of a group of Russian hackers led Thomas Rid to a house in the quiet southern English village of Hartley Wintney. Rid, a cybersecurity-focused political science professor and historian, wrote a long-shot email to David Hedges, a 69-year-old retired IT consultant who lived there. Rid wanted to know if Hedges might somehow still possess a very specific, very old chunk of data: the logs of a computer Hedges had used to run a website for one of his clients in 1998. Back then, Russian spies had commandeered it, and used it to help run one of the earliest mass-scale digital intrusion campaigns in computing history.
A few weeks later, Hedges answered as if he’d almost been expecting the request: The ancient, beige, HP 9000 computer that the Russians had hijacked was still sitting under his office desk. Its logs were stored on a Magneto optical drive in his home safe. “I’d always thought this might be interesting one day,” Hedges says. “So I put it in my safe and forgot about it until Thomas rang me.”
Over the months since then, Rid and a team of researchers from King's College and the security firm Kaspersky have pored over Hedges’ data, which recorded six months of the Russian hackers’ moves as they breached dozens of American government and military agencies---a history-making series of intrusions that’s come to be known as Moonlight Maze. In research they’re presenting at the Kaspersky Security Analyst Summit Monday, they argue that their archaeological hacker excavation reveals more than just a digital museum piece from the dawn of state cyberespionage. The researchers say they've found a piece of vintage malicious code in that trove that survives today, as part of the arsenal of a modern-day team of Russian hackers---believed to have Kremlin ties---known as Turla. And they suggest that the contemporary hacking team---though mutated and evolved through the years---could be the same one that first appeared in the late 90s, making it one of the longest-lived cyberespionage operations in history.
“We can see an evolution of tradecraft,” says Rid, who teaches at King's College Department of War Studies, and last week testified at a Senate hearing on Russian hackers meddling in the 2016 election. “They’ve been doing this for 20 years or even more.”
In 1998, the UK’s Metropolitan police had contacted Hedges to tell him that his computer, like dozens of others, had been hacked and used as a staging point for Russian hackers to obscure their origin. The UK police, along with the US Department of Defense and the FBI, had asked Hedges not to eject the hackers from his system, but instead to record their activities for the next six months, silently spying on the spies.
When a surprisingly unredacted FOIA finally helped lead Rid to Hedges, he gave the researchers the logs from his HP9000 last year. In them, the team found that the late-90s hackers had used a Linux backdoor known as Loki2 to stealthily pull data out of some of the target computers they’d compromised. That trojan, first published in the hacker zine Phrack in 1996, had become a common tool at the time thanks to its trick of hiding stolen data in unlikely network channels, like the Internet Control Message Protocol and Domain Name System communications.
But Kaspersky’s researchers made a connection to a separate analysis they’d performed on a toolkit used by the Turla hackers in 2014, and which was used last year against the Swiss tech firm RUAG. The Turla toolkit had used a modified version of that same Loki2 backdoor. “This is a backdoor that’s been around for two decades that’s still being leveraged in attacks,” says Juan Andres Guerrero-Sade, a Kaspersky researcher. “When they need to be stealthier on a Linux or Unix machine, they dust off this code and use it again.” The use of that archaic code today is far more rare today than in 1998: The researchers say they’ve searched extensively for any other modern-day hacker operations using the backdoor, and found no others.
The team doesn't claim to have proven that Turla and the decades-old group are one and the same. Loki2 link is just a first clue, not proof. But they’ve followed that link to find other hints of Kremlin hacker heredity, like references to the use of Loki2 in a 2001 Wall Street Journal article about another hacking spree known as Stormcloud, also suspected to be a Russian espionage operation.
To Rid, that common thread suggests the Moonlight Maze operation never really ended, but instead continued to develop and hone its techniques while retaining some consistent practices. “The Turla link shows us that Moonlight Maze evolved into an extremely sophisticated threat actor,” he says.
If the Turla-Moonlight Maze connection were proven, it would make that hacker group one of the oldest---if not the oldest---active state-sponsored hacking operations ever identified. The only comparable team would the Equation Group, a highly sophisticated and decades-long espionage operation identified by Kaspersky two years ago and believed to be linked to the NSA.
Aside from that attempt to trace Turla’s longevity, the Moonlight Maze logs also provide a rare, minutely detailed record of how hackers operated 20 years ago. In several instances, the researchers say, the hacker set up software designed to record everything that occurred on a target machine, and then set about trying to gain deeper access on the same machine, thus recording and uploading a log of their own attacks.
That makes the logs something like a hacker time capsule, revealing how much cybersecurity has changed since then. The researchers note that the Moonlight Maze hackers barely attempted to obscure their malware, hide their tracks, or even encrypt the data they stole from their victims’ machines. They ran intrusion code they’d cut and pasted from public hacker forums and mailing lists, which at the time often went entirely unpatched due to the almost nonexistent relationship between the hacker community and companies who might fix the flaws they exploited.
Compared with modern cyberspies, the hackers also performed much of their work manually, typing commands on victim machines one by one instead of running automated malware. “Moonlight Maze was artisanal digital espionage: an operator- and labor-intensive campaign with little tolerance for error and only rudimentary automation," the Kaspersky team writes in a paper detailing the connection.
Beyond late 90s nostalgia, however, the researchers hope their work will help shake loose more evidence of the missing links in state-sponsored hacker history---hiding, perhaps, under the desk of some other retired systems administrator somewhere. Without that perspective, argues Rid, cybersecurity will always remain narrowly focused on the threat of the moment without understanding its larger historical context.
“This is a field that’s not understanding its own history,” says Rid. “It goes without saying that if you want to understand the present or the future, you have to understand the past.”
