Threat Management, Threat Intelligence

Shedding light on Moonlight cyberespionage methods

Kaspersky Lab researchers uncovered new information about one of the world's first cyberespionage groups, Moonlight, including information linking it to recent Turla attacks.

The Russian-speaking group launched a series of attacks against government and military agencies to steal sensitive information in the mid 90's using a series of proxy servers to hide and launch their attacks and eventually adapted their tactics to become stealthier.

Unbeknownst to the attackers, a system admin was able to regain control of one of the compromised servers and used it to record the group's actions. This information would later give researchers a digital footprint of the group as well as a small constellation of the attacks known as “Moonlight Maze.”

Researchers found evidence linking Moonlight to the modern day Turla malware, according to a recent Kaspersky report detailing the findings.

Among other things, researchers said that Moonlight attackers were prolific Unix users, learned as they went, and made the mistake of infecting machines that used sniffers to collect any activity on the victim's machine and then proceeded to use these machines to connect to other victims.

Moonlight was impressive because of their adaptability and persistence at a time when digital espionage wasn't a popularly acknowledged practice, researchers said. And although researchers were able to map out a trend of development between the old malware sample samples and newer Penquin Turla samples, researchers are still looking to uncover steps in the group's development that would clearly link the tools.

“Moonlight Maze was a threat actor ahead of its time,” Kaspersky Lab Senior Security Researcher Juan Andres Guerrero Saade told SC Media. “Carried out by highly skilled operators, the cyberespionage campaign used proxies to steal victim data at alarming speed, seizing information within minutes – often coordinated through entire networks at once.”

In 1999, three years after the threat group started their campaign, the attackers burned their infrastructures and changed their toolkit to be stealthier and were thus renamed into “Storm Cloud,” and continued their campaign using other tactics, he said.

“When looking at Moonlight Maze the actual number of victims is unknown, but included the Pentagon, NASA, the Department of Energy and a wide range of other government and military organizations, universities, research institutions, libraries and more,” Saade said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.