Bioinformatics is essential for the management of data in modern biology and medicine. By finding more secure solutions we will be creating greater opportunity and more efficiency in medical research. ~Audrey Bentley
Bioinformatics is essential for the management of data in modern biology and medicine. By finding more secure solutions we will be creating greater opportunity and more efficiency in medical research. ~Audrey Bentley
One of the first nation state sponsored cyber espionage campaigns.
Systems Affected: The Pentagon, NASA, Department of Energy, Weapons Laboratories, and Universities through out the United States.
In 1998 a tech at ATI-Corp (a specialist materials company) spotted a connection from their network to Wright Patterson Air Force Base. The technician observed that the user was connecting at 3:00 am on a Sunday. That raised an alarm. The actual owner of the account confirmed that they weren’t using the account at that time. He passed this information off to a number of Computer Emergency Response Teams (CERTS). The Air Force were the first to respond.
After it was confirmed to be an attacker, they were able to make more connections from the University of South Carolina, Wright University, and University of Cincinnati, all leading to Wright Patterson Air Force Base.
There were reports (from News Media Org FRONTLINE) that sources had indicated the attackers had been browsing through thousands of files containing various data such as: Maps of military installations, Troop configurations, and Military hardware designs.
It became quite clear that the threat was primarily targeting places where even the information that is unclassified could still be quite sensitivve.
Incident response teams that were tasked with performing IR & Analysis of the affected systems and data found that the attack had been going on for almost two years.
An attack that had preceded the Moonlight Maze, known as Solar Sunrise, helped investigators because they were able to make use of the attack profiles previously used in order to: Enumerate the network address space, Gather and remove data, Probing activities (including destruction of file and system structures, Scan for vulnerabilities..Once successfully identifying vulns exploit them and deliver malicious payload-a backdoor program enabling the attackers to reenter the system in order to identify them.
“the investigators identified the attackers were proxying through university networks and small businesses. this was a way for them to look more legitimate and to go unnoticed.
”
Even the most strategic and meticulous attacker is bound to make a mistake. And at one point they appeared to connect from a machine in Moscow…
With an attack of this size and nature accusations can’t be made lightly or carelessly. However, all indicators ended up pointing in one direction.
Some attacker connections were identified from dial-up modem accounts in Moscow. It’s possible the attackers proxied connections from elsewhere, it is less likely with a dial-up connection than with a server.
The attackers didn’t work during Russian Orthodox holidays, and their working hours could align with a typical work day in Russia.
Kevin Mandia (CEO of FireEye Mandiant) identified the Russian phrase for “Child Process” within one of the attackers tools.
Public reports at the time referred to the Russian Academy of Sciences as being possible source, and its encryption company reported an attacks against its servers from a system in their network range. However, there is no public information clearly linking the academy to the attacks.
The Russian Ministry of the Interior requested US assistance in identifying persons who had deformed Russian President Boris Yeltsin’s daughter. The FBI assisted as far as they were permitted, and asked for reciprocal help on Moonlight Maze..giving the Russians the impression it was a more standard criminal case.
However, a Russian general was at first happy to help investigators, but he soon disappeared and Russian assistance was withdrawn.
A small cyber crime team at the Air Force office of Special Investigations decrypted the Moonlight Maze code commands and found that the codes had been typed in cyrillic, which helped confirm that Russia was behind the attacks.
“still today Moonlight Maze is actively investigated by United States Intelligence Agencies.
”
As a consequence of this attack the Pentagon spent $200 million in new cryptographic equipment, as well as having upgraded intrusion detection solutions and firewalls. These necessary measures were taken to strengthen the overall risk posture of NIPRNET (the Non-Classified Internet Protocol Router Network-used to exchange classified information) However, the efficacy of this would come under review.
The damage from Moonlight Maze would prove to be far-reaching and did not stop in the 1990’s. In 2016 Kaspersky & Kings College London found logs and samples of the old code from MM that have been linked to threat actor, Turla.
The open-source backdoor, previously used in Moonlight Maze, was connected to the evolved backdoor used by Turla in 2011 and possibly as recently as 2017 to steal information from victim networks.
“a lot of the evidence from this groundbreaking attack are still classified to this day due to the sensitive nature of the hijacked information.
”