Ancient APT resurrected to launch modern attacks

Security researchers from Kaspersky Lab and Kings College London have uncovered similarities between Turla attacks from 2011 and 2017, and an ancient advanced persistent threat, used two decades ago to launch an attack against the US government's network.

The researchers (Juan Andres Guerrero-Saade and Costin Raiu from Kaspersky Lab and Thomas Rid and Danny Moore from Kings College London) have taken logs of Moonlight Maze, an attack that happened in the late 90's, from a now retired IT admin whose server has been used as a proxy to launch the attacks. 

Looking at the logs, the researchers uncovered that the same code is still being used in attacks today.

"If the link between Turla and Moonlight Maze is proven, it would place the evolved threat actor alongside the Equation Group in terms of its longevity, as some of Equation’s command-and-control servers date back to 1996,” the two groups said in a press release.

“In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyberespionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match,” said Juan Andres Guerrero-Saade, Senior Security Researcher, Global Research and Analysis Team Kaspersky Lab.

Details of the Cupboard Samples logs and scripts, as well as Indicators of Compromise and hashes to help organisations search for traces of these attack groups in their corporate networks can be found on this link.

Image source: Shutterstock/alexskopje