Moonlight Maze

From Wikipedia, the free encyclopedia

Moonlight Maze was a 1999 US government investigation into a massive data breach of classified information. [1] Moonlight Maze represents one of the first widely known cyber espionage campaigns in world history. It was even classified as an Advanced Persistent Threat after two years of constant assault.

The investigators claimed that if all the information stolen was printed out and stacked, it would be three times the height of the Washington Monument, which is 555 ft (169 m) tall.[2]

History[edit]

It started in 1996 and affected NASA, the Pentagon, military contractors, civilian academics, the DOE, and numerous other American government agencies. By the end of 1999, the Moonlight Maze task force was composed of forty specialists from law enforcement, military, and government.[3]

Information recovered in the hack may have included classified naval codes and data on missile-guidance systems, as well as other highly valued military data. They also stole tens of thousands of files containing technical research, military maps, U.S. troop configurations, military hardware designs, encryption techniques, and unclassified but crucial data relating to the Pentagon's war-planning.[4] With the information acquired from the attack, the hackers might have been able to cripple US missile defense systems and cause an unimaginable amount of damage.[5]

The Russian government was blamed for the attacks, although there was initially little hard evidence to back up the US accusations besides a Russian IP address that was traced to the hack. Although Moonlight Maze was regarded as an isolated attack for many years, unrelated investigations revealed that the threat actor involved in the attack continued to be active and employ similar methods until as recently as 2016.

It was't until many years later, however, that information would come out linking Turla to Moonlight Maze. A group consisting of Kaspersky's Guerrero-Saade and Costin Raiu, and King's College London's Thomas Rid and Danny Moore was able to track down a retired IT administrator who was the owner of a 1998 server which had been used as a proxy for Moonlight Maze.[6] This was a huge breakthrough considering the long period of presumed inactivity (almost 20 years). They then used the server to spy on the threat actor, and were able to retrieve a complete log of the attackers code, with which after almost a year of thorough analysis, they were able to find a connection between rare Linux samples used by both Turla and Moonlight Maze (the code they shared was related to a backdoor used on LOKI 2, an information tunneling program released in 1996).

Methods of attack[edit]

The hack began with the hackers building "back doors" through which they could re-enter the infiltrated systems at will and steal further data; they also left behind tools that reroute specific network traffic through Russia. Everything they exploited during the attacks came from publicly available resources, not their own creation.[7] In most cases, the exploits were discovered by system administrators with the intention of informing others of the vulnerabilities present in their own systems, but were instead manipulated for malicious purposes.[7] The hackers found success since software manufacturers and maintainers were not vigilant about making sure there were no flaws in their systems. They would leave known vulnerabilities unpatched for long periods of time, sometimes as long as six months to a year, neglecting any security patch cycles. This was because prior to Moonlight Maze, few were aware of the damage that could be done through cyber attacks since the internet was still relatively new. As a result, they were extremely vulnerable and not very difficult to infiltrate, resulting in one of the largest data breaches of classified information in history. In order to conceal their location and throw off investigators, the hackers relayed their connection through various vulnerable institutions like universities, libraries, and more since the servers they hacked could only see the last location they routed through (called proxying).

See also[edit]

References[edit]

  1. ^ "London Times--- Russian Hack DoD computers". greenspun.com. Retrieved 2019-10-15.
  2. ^ "Hack may have exposed deep US secrets; damage yet unknown". The Independent. December 15, 2020. Retrieved 2020-12-23.
  3. ^ Doman, Chris (2018-01-22). "The First Cyber Espionage Attacks: How Operation Moonlight Maze made history". Medium. Retrieved 2019-10-17.
  4. ^ Adams, James (2 March 2000). "Testimony of James Adams Chief Executive Officer Infrastructure Defense, INC". Federation of American Scientists. Retrieved 17 October 2019.
  5. ^ Adams, James (2001). "Virtual Defense". Foreign Affairs. 80 (3): 98–112. doi:10.2307/20050154. ISSN 0015-7120. JSTOR 20050154.
  6. ^ "Moonlight Maze Lives On? Researchers Find 20-Year-Old Link to Current APT". secureworldexpo.com. 2017-04-03. Retrieved 2019-10-17.
  7. ^ a b "Information Security: Effective Patch Management is Critical to Mitigating Software Vulnerabilities". govinfo.gov. 2003-09-10. Retrieved 2019-11-07.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Moonlight_Maze&oldid=1212211813"