Free Reverse Deception: Organized Cyber Threat Counter-Exploitation by Sean Bodmer Page B

of the series of events discussed and regularly referred to in this book—just know that we’re watching you more than you think… .
     
    Moonlight Maze
    The Moonlight Maze APT was reported as ongoing for well over two years. Numerous government, military, and academic networks were purportedly probed, and there was some pattern to the adversaries’ activities that was specific enough to generate a name for this course of events. According to publicly available information (public search engines), this event was traced back to a mainframe system in Russia. The actual perpetrators were never caught, nor was any additional information about the series of events released. This would be considered an APT without a doubt . Specific individuals or groups were targeting specific sensitive systems belonging to specific industries.
    The overall ability to probe these networks for this period of time without detection or direct attribution illustrates a degree of expertise and resources. The devil always lies in the details. The observables of this event were never clear or publicly disclosed, but the overreaching capabilities and methods that were publicly disclosed are enough to review.
    The following are some of the observables known about this event that illustrate some measurable details that were more than likely taken into consideration as a metric when gauging this adversary throughout the course of the investigation into this threat.
     
Moonlight Maze
Observables
Attack origination points
Unknown
Numbers involved in attack
Unknown
Risk tolerance
Unknown
Timeliness
Systems accessed for more than 2 years
Skills and methods
Unknown
Actions
Persistence and acquisition of foreign intelligence
Objectives
Espionage
Resources
Several years’ worth of code and infrastructure development and operations
Knowledge source
Not much available online
     
    Stakkato
    The Stakkato series of events was perpetrated by an individual or group by the name of Stakkato, which included a 16-year-old from Uppsala, Sweden. Several other supposed accomplices were searched, and several computers were seized. This threat was advanced from the perspective of the methods Stakkato used to operate and easily gain access to stolen data via remote exploits of Linux-based systems and compromised accounts and logins.
    By using locally based kernel exploits (a sophisticated technique that requires a high knowledge level and advanced development skills), Stakkato managed to elevate its privileges and gain control of various systems within numerous government agencies and private sector enterprises. Stakkato infiltrated mostly US supercomputing laboratories and used their TeraGrid network, which is a high-speed international distributed network that connects numerous academic, military, and government systems. Via stolen login credentials Stakkato was able to gain access to these systems for well over two years. Finally, Stakkato was able to gain access to Cisco Corporation’s router internetwork operating system (IOS) source code, which enabled the attacker to develop custom exploits, rootkits (backdoors), and enhanced control of routers around the world.
    Things got a little complicated when world government and military systems became involved in the incidents. The primary suspect was apprehended and is currently going through due process in the judicial system.
    Stakkato was able to attack and move throughout global enterprises across numerous countries, hopping jurisdictions. This is one of the primary reasons behind the length in which Stakkato was able to operate. However, the following examples show how specific observables helped lead to the apprehension of Stakkato.
     
Stakkato
Observables
Objectives
Curious hacker turned cyber criminal entrepreneur
Timeliness
Operated at various times of the day
Resources
Unknown
Risk tolerance
Unknown
Skills and methods
In-depth knowledge of Linux kernel and router programming
Actions
Numerous compromised enterprises