Moonlight Maze
   HOME

TheInfoList



OR:

Moonlight Maze was a 1999 US government investigation into a massive data breach of classified information. It started in 1996 and affected
NASA The National Aeronautics and Space Administration (NASA ) is an independent agencies of the United States government, independent agency of the US federal government responsible for the civil List of government space agencies, space program ...
,
the Pentagon The Pentagon is the headquarters building of the United States Department of Defense. It was constructed on an accelerated schedule during World War II. As a symbol of the U.S. military, the phrase ''The Pentagon'' is often used as a meton ...
, military contractors, civilian academics, the DOE, and numerous other American government agencies. By the end of 1999, the Moonlight Maze task force was composed of forty specialists from law enforcement, military, and government. The investigators claimed that if all the information stolen was printed out and stacked, it would be three times the height of the
Washington Monument The Washington Monument is an obelisk shaped building within the National Mall in Washington, D.C., built to commemorate George Washington, once commander-in-chief of the Continental Army (1775–1784) in the American Revolutionary War and th ...
, which is tall. The Russian government was blamed for the attacks, although there was initially little hard evidence to back up the US accusations besides a Russian IP address that was traced to the hack. Moonlight Maze represents one of the first widely known
cyber espionage Cyber may refer to: Computing and the Internet * ''Cyber-'', from cybernetics, a transdisciplinary approach for exploring regulatory and purposive systems Crime and security * Cyber crime, crime that involves computers and networks ** Conventio ...
campaigns in world history. It was even classified as an
Advanced Persistent Threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may ...
(a very serious designation for stealthy computer network threat actors, typically a nation state or state-sponsored group) after two years of constant assault. Although Moonlight Maze was regarded as an isolated attack for many years, unrelated investigations revealed that the
threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...
involved in the attack continued to be active and employ similar methods until as recently as 2016.


Methods of attack

The hack began with the hackers building "back doors" through which they could re-enter the infiltrated systems at will and steal further data; they also left behind tools that reroute specific network traffic through Russia. Everything they exploited during the attacks came from publicly available resources, not their own creation. In most cases, the exploits were discovered by system administrators with the intention of informing others of the vulnerabilities present in their own systems, but were instead manipulated for malicious purposes. The hackers found success since software manufacturers and maintainers were not vigilant about making sure there were no flaws in their systems. They would leave known vulnerabilities unpatched for long periods of time, sometimes as long as six months to a year, neglecting any
security patch A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patches ...
cycles. This was because prior to Moonlight Maze, no-one was aware of the damage that could be done through cyber attacks since the internet was still relatively new. As a result, they were extremely vulnerable and not very difficult to infiltrate, resulting in one of the largest data breaches of classified information in history. In order to conceal their location and throw off investigators, the hackers relayed their connection through various vulnerable institutions like universities, libraries, and more since the servers they hacked could only see the last location they routed through ( called proxying).


Outcome and impact

Describing the attack in testimony before Congress, James Adams, CEO of Infrastructure Defense Inc, warned that "the information was shipped over the Internet to Moscow for sale to the highest bidder" and that "The value of this stolen information is in the tens of millions, perhaps hundreds of millions of dollars." Information recovered in the hack may have included classified naval codes and data on missile-guidance systems, as well as other highly valued military data. They also stole tens of thousands of files containing technical research, military maps, U.S. troop configurations, military hardware designs, encryption techniques, and unclassified but crucial data relating to the Pentagon's war-planning, all of which could be sold to enemies of the United States. These attacks had very serious implications regarding the US’ ability to defend itself. With the information acquired from the attack, the hackers might have been able to cripple US missile defense systems and cause an unimaginable amount of damage. Juan Andres Guerrero-Saade, Senior Security Researcher at
Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
, stated "The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match."


Connection to Turla

Turla is a Russian-language
threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...
known for its covert exfiltration tactics such as the use of hijacked satellite connections, waterholing of government websites, covert channel backdoors,
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
s, and deception tactics. The group's roots trace back to the once famous Agent.BTZ, a computer virus which had the ability to replicate itself as well as to scan for and steal data. The virus was used to briefly cripple the United States military, and was described as "the most significant breach of U.S. military computers ever" by a senior Pentagon official. This dates their rise to prominence around 2006–2007, a few years before Agent.BTZ, and almost 10 years after the events of Moonlight Maze. It was't until many years later, however, that information would come out linking Turla to Moonlight Maze. A group consisting of Kaspersky's Guerrero-Saade and Costin Raiu, and King's College London's Thomas Rid and Danny Moore was able to track down a retired IT administrator who was the owner of a 1998 server which had been used as a proxy for Moonlight Maze. This was a huge breakthrough considering the long period of presumed inactivity (almost 20 years). They then used the server to spy on the
threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...
, and were able to retrieve a complete log of the attackers code, with which after almost a year of thorough analysis, they were able to find a connection between rare
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
samples used by both Turla and Moonlight Maze (the code they shared was related to a backdoor used on LOKI 2, an information tunneling program released in 1996).


See also

* 2020 United States federal government data breach *
Cyberwarfare by Russia Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of ...
* GhostNet *
Operation Aurora Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in ...
*
Titan Rain Titan Rain was a series of coordinated attacks on computer systems in the United States since 2003; they were known to have been ongoing for at least three years. The attacks originated in Guangdong, China. The activity is believed to be associat ...


References

{{Hacking in the 1990s 1999 in the United States Cyberattacks Data breaches in the United States Hacker groups