Skip to main content

Ancient APT resurrected to launch modern attacks

(Image credit: Image source: Shutterstock/alexskopje)

Security researchers from Kaspersky Lab and Kings College London have uncovered similarities between Turla attacks from 2011 and 2017, and an ancient advanced persistent threat, used two decades ago to launch an attack against the US government's network.

The researchers (Juan Andres Guerrero-Saade and Costin Raiu from Kaspersky Lab and Thomas Rid and Danny Moore from Kings College London) have taken logs of Moonlight Maze, an attack that happened in the late 90's, from a now retired IT admin whose server has been used as a proxy to launch the attacks. 

Looking at the logs, the researchers uncovered that the same code is still being used in attacks today.

"If the link between Turla and Moonlight Maze is proven, it would place the evolved threat actor alongside the Equation Group in terms of its longevity, as some of Equation’s command-and-control servers date back to 1996,” the two groups said in a press release.

“In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyberespionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match,” said Juan Andres Guerrero-Saade, Senior Security Researcher, Global Research and Analysis Team Kaspersky Lab.

Details of the Cupboard Samples logs and scripts, as well as Indicators of Compromise and hashes to help organisations search for traces of these attack groups in their corporate networks can be found on this link (opens in new tab).

Image source: Shutterstock/alexskopje

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.