Security Experts:

Connect with us

Hi, what are you looking for?



Turla Linked to One of the Earliest Cyberespionage Operations

Researchers at Kaspersky Lab and King’s College London have identified a link between the Russian-speaking threat actor Turla and Moonlight Maze, one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

Researchers at Kaspersky Lab and King’s College London have identified a link between the Russian-speaking threat actor Turla and Moonlight Maze, one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

In around 1996, a threat group believed to be located in Russia had started spying on organizations in the United States, including the Pentagon, the Department of Energy and NASA. The actor had stolen vast amounts of sensitive information from universities, military and research organizations. The activities of the group, dubbed Moonlight Maze, were first made public in 1999 and detailed last year at Kaspersky’s SAS conference by Thomas Rid of King’s College London.

Experts have dug further into Moonlight Maze’s activities and at this year’s SAS conference they presented evidence linking the threat actor to Turla. If Turla does in fact turn out to be an evolution of Moonlight Maze, that would make it one of the earliest and longest cyber espionage operations, along with the NSA’s Equation Group, which is also believed to have been active since the mid ‘90s.

Turla is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig). The threat actor has been linked to the Agent.BTZ malware, which indicates that Turla may have been active since as early as 2006.

Kaspersky and King’s College London researchers found precious information after learning of David Hedges, a now-retired administrator who got to watch Moonlight Maze in action when one of his servers was compromised by the threat group back in 1998. Hedges had allowed the attackers to use his server in order to help the Metropolitan Police in London and the FBI track the team’s activities.

Hedges still had the old server, which recorded data between 1998 and 1999, allowing the researchers to analyze the tools used at the time by Moonlight Maze.

The analysis showed that the attackers compiled most of their tools on UNIX operating systems such as Solaris and IRIX. One of the third-party tools they used was LOKI2, an open-source backdoor released in 1996.

LOKI2 has provided a link to Penquin Turla, a Linux backdoor identified by Kaspersky Lab in 2014. Penquin Turla’s code was compiled for Linux kernel versions released in 1999, and the malware was based on LOKI2, which had been designed for covert data exfiltration.

Researchers believe the Penquin Turla codebase was primarily developed between 1999 and 2004, but the malware was also spotted in the 2011 attack on Swiss defense firm RUAG, and a new sample was uploaded to the VirusTotal service in March 2017. The experts’ theory is that the hackers dusted off the old code and reused it in attacks aimed at highly secure entities whose defenses may have been more difficult to breach using the group’s typical Windows toolset.

While the use of LOKI2 source code and other similarities do provide a link between Turla and Moonlight Maze, more evidence is needed before researchers can say with certainty that the former is an evolution of the latter.

Further evidence may be found in data collected from a campaign dubbed Storm Cloud. The Wall Street Journal reported in 2001 that this operation had also involved LOKI2, but researchers currently have little information on Storm Cloud.

Related: Russia-Linked “Turla” Group Uses New JavaScript Malware

Related: Turla-Linked Group Targets Embassies, Ministries

Related: Turla Group Improves Carbon Backdoor

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.