The First Cyber Espionage Attacks: How Operation Moonlight Maze made history

Newly declassified documents shed light on the original cyber cold-case

In September 1999 Newsweek broke the story that the United States was under a sustained cyber attack. They claimed that thousands of sensitive but unclassified documents relating to technologies with military applications had been stolen. Further reports at the time pointed the finger at the Russian government as a possible source of the attack, but details were limited.

Last Saturday Silas Cutler, a Senior Security Researcher at CrowdStrike and Project Director of MalShare, shared newly declassified documents that the FBI had on the case following a Freedom Of Information Act request. This coincides with the release of a book by Thomas Rid that cover the attacks from interviews with many of the people close to the case twenty years ago.

Initial Identification

In 1998 a technician at a specialist materials company “ATI-Corp” identified a connection from their network to Wright Patterson Air Force Base. He noticed the user was connecting at 3 AM on a Sunday, and the owner of the account confirmed that they weren’t using the account at that time. He raised the alarm to a number of CERTs (Computer Emergency Response Teams) - the Air Force were the first to respond.

They identified it was an attacker, and found they had made further connections to Wright Patterson Air Force Base from the University of South Carolina, Wright University and the University of Cincinnati. In one instance it appeared the attackers had made a mistake — they had connected (possibly directly) from a machine in Moscow.

As the FBI commenced an investigation, code named “Moonlight Maze”, it became clear that this wasn’t an isolated case. It was a coordinated attack on an unprecedented scale.

Summary of the attackers connections as recorded within the documents (graphic by the author)

The Investigation

A team was stood up quickly, bringing together elements from law enforcement, defense and government.

The investigation widened as the attackers compromised important research institutions such as the Army, Los Alamos and Sandia national laboratories. The victims covered the United States, United Kingdom, Canada, Brazil and Germany.

By 1999 a Moonlight Maze working group was established, composing of forty specialists from Law Enforcement, Military and Government.

Universities

The investigators identified the attackers were proxying through University networks and small businesses. Universities and small businesses make excellent proxies for attacks — they may have fast network links to target systems and their traffic appears more legitimate than a connection from Moscow. They can also have valuable information of their own – despite their weak defenses.

The investigators installed the network equivalents of wire-taps at a number of the compromised universities that the attackers were moving through. Now they could watch the attackers as they typed out their commands. They discovered the attackers were using the standard tools (Telnet and FTP) to move through networks and steal documents without standing out.

London

Reviewing the connections from the Universities, the investigators identified an earlier hop-point in London, and looped in the local Met police force. The documents don’t describe this system in detail, but Rid has reconstructed the events from other sources. The attackers compromised a system “HR Test” at the Institute of Personnel and Development in London to store their tools and stolen documents.

The investigation didn’t all go to plan. Someone with an awareness of the investigation connected to the system in London without permission to obtain a copy of the hackers tools. The FBI requested a warrant and seized his home and work computers.

Other agencies

The investigators requested assistance of further teams with better access to the attackers communications — that could potentially help to track stolen documents and malicious commands as they transited to the attackers. Given the sensitive nature of this work, this is only described in passing within the redacted documents.

Setting the Trap

The documents show the investigators considered the possibility of creating a honeypot, to lure the attackers into a system designed to help identify information about them. This had proven to be a successful method in well-known attacks involving a German hacker called Markus Hess, who had stolen technologies to sell to the Soviet Union in the 1980s.

Rid describes a relatively simple method that the investigators used — a honey document they allowed the attackers to steal, that when opened initiated a DNS request back to a machine operated by the investigators. This provided the location of the machine the document was opened on.

A Russian nexus

Many of the documents are concerned with suspicions of who is behind the attacks. They note that the attackers didn’t work during Russian Orthodox holidays, and their working hours could align with a typical working day in Russia.

Some attacker connections were identified from dial-up modem accounts in Moscow. Whilst it’s possible the attackers proxied connections from elsewhere, it is less likely with a dial-up connection than with a server.

Public reports at the time referred to the Russian Academy of Sciences as being a possible source, and an encryption company reported an attack against it’s servers from a system in their network range. However there is no public information clearly linking the academy to the attacks.

Rid describes further findings. An Air Force investigator named Kevin Mandia, now the CEO of cyber-security juggernaut FireEye Mandiant, identified the Russian phrase for “child process” within one of the attackers tools. School children in many parts of the former USSR learn Russian — so this is not as strong an indicator as it may appear.

The visit to Moscow

The investigative team had no smoking gun— so they decided to go to Moscow itself to follow the leads they had. Rid records an incredible piece of luck for the investigators. The Russian Ministry of the Interior requested US assistance in identifying persons who had defamed Russian President Boris Yeltsin’s daughter. The FBI assisted as far as they were permitted, and asked for reciprocal help on Moonlight Maze- giving the Russians the impression it was a more standard criminal case.

Many of the documents record the logistics of sending members of the Moonlight Maze working group to Moscow. They don’t describe the outcome of these events however.

Just what happened on the Russian side isn’t clear. But both Rid’s account, and another by Fred Kaplan, describe a Russian General. At first he was happy to help the investigators, likely thinking it was a simple criminal case with no connections to his own government, but he soon disappeared and Russian assistance was withdrawn.

Aftermath

Many thousands of pages were stolen by the attackers from a number of sources. Whilst the information was unclassified, it aligned to controlled technologies with military applications.

The documents also record the reactions when, following an initial classified briefing to congress on the state of the investigation, the news leaked and Newsweek published an article on the story. The attackers continued their intrusions despite the attention, though soon became harder to track.

In a summary of the case during the investigation, the author of a document records one “non-US person” had been identified, as had one “piece of malicious code”. The documents don’t go into detail of what these are.

Rid suggests that whilst the attackers became more difficult to track there may be links, via the usage of Satellite infrastructure and programming code, to a modern group of attackers named Turla. Turla are best known for a 2008 compromise of classified Department of Defence networks, and continue to be a thorn in the side of many embassies and defense contractors.

The attacks aren’t the first cyber-attacks against the United States linked to a foreign state — those were the 1985 attacks by Markus Hess. And sophisticated English speaking attackers have been dated back to at-least 1996, coincidentally when some of the first Moonlight Maze attacks commenced.

But Moonlight Maze did mark the beginning of a new era of constant cyber-espionage. They were quickly followed by the Titan Rain attacks — allegedly this time of Chinese, not Russian, origins.


Thoughts? Questions? I’d love to hear them — I’m @chrisdoman on twitter

Many thanks to Thomas Lancaster, Michael Yip, Nina Dickinson, @instacyber and Richard Lewis for reviewing the article and suggesting edits prior to publication.