Russian Hackers Have Used the Same Backdoor for Two Decades

ABOUT A YEAR ago, the two-decade-old trail of a group of Russian hackers led Thomas Rid to a house in the quiet southern English village of Hartley Wintney. Rid, a cybersecurity-focused political science professor and historian, wrote a long-shot email to David Hedges, a 69-year-old retired IT consultant who lived there. Rid wanted to know if Hedges might somehow still possess a very specific, very old chunk of data: the logs of a computer Hedges had used to run a website for one of his clients in 1998. Back then, Russian spies had commandeered it, and used it to help run one of the earliest mass-scale digital intrusion campaigns in computing history.

A few weeks later, Hedges answered as if he’d almost been expecting the request: The ancient, beige, HP 9000 computer that the Russians had hijacked was still sitting under his office desk. Its logs were stored on a Magneto optical drive in his home safe. “I’d always thought this might be interesting one day,” Hedges says. “So I put it in my safe and forgot about it until Thomas rang me.”

Over the months since then, Rid and a team of researchers from King’s College and the security firm Kaspersky have pored over Hedges’ data, which recorded six months of the Russian hackers’ moves as they breached dozens of American government and military agencies—a history-making series of intrusions that’s come to be known as Moonlight Maze. In research they’re presenting at the Kaspersky Security Analyst Summit Monday, they argue that their archaeological hacker excavation reveals more than just a digital museum piece from the dawn of state cyberespionage. The researchers say they’ve found a piece of vintage malicious code in that trove that survives today, as part of the arsenal of a modern-day team of Russian hackers—believed to have Kremlin ties—known as Turla. And they suggest that the contemporary hacking team—though mutated and evolved through the years—could be the same one that first appeared in the late 90s, making it one of the longest-lived cyberespionage operations in history.

“We can see an evolution of tradecraft,” says Rid, who teaches at King’s College Department of War Studies, and last week testified at a Senate hearing on Russian hackers meddling in the 2016 election. “They’ve been doing this for 20 years or even more.”

That 90s Backdoor
In 1998, the UK’s Metropolitan police had contacted Hedges to tell him that his computer, like dozens of others, had been hacked and used as a staging point for Russian hackers to obscure their origin. The UK police, along with the US Department of Defense and the FBI, had asked Hedges not to eject the hackers from his system, but instead to record their activities for the next six months, silently spying on the spies.

When a surprisingly unredacted FOIA finally helped lead Rid to Hedges, he gave the researchers the logs from his HP9000 last year. In them, the team found that the late-90s hackers had used a Linux backdoor known as Loki2 to stealthily pull data out of some of the target computers they’d compromised. That trojan, first published in the hacker zine Phrack in 1996, had become a common tool at the time thanks to its trick of hiding stolen data in unlikely network channels, like the Internet Control Message Protocol and Domain Name System communications.

But Kaspersky’s researchers made a connection to a separate analysis they’d performed on a toolkit used by the Turla hackers in 2014, and which was used last year against the Swiss tech firm RUAG. The Turla toolkit had used a modified version of that same Loki2 backdoor. “This is a backdoor that’s been around for two decades that’s still being leveraged in attacks,” says Juan Andres Guerrero-Sade, a Kaspersky researcher. “When they need to be stealthier on a Linux or Unix machine, they dust off this code and use it again.” The use of that archaic code today is far more rare today than in 1998: The researchers say they’ve searched extensively for any other modern-day hacker operations using the backdoor, and found no others.