Moonlight Maze

Moonlight Maze was a data breach of classified U.S. government information lasting from 1996 to 1998. It represents one of the first widely known cyber espionage campaigns in world history. It was even classified as an Advanced Persistent Threat after two years of constant assault.

The investigators claimed that if all the information stolen was printed out and stacked, it would be three times the height of the Washington Monument, which is 555 ft tall.

History
It started in 1996 and affected NASA, the Pentagon, military contractors, civilian academics, the DOE, and numerous other American government agencies. By the end of 1999, the Moonlight Maze task force was composed of forty specialists from law enforcement, military, and government.

Information recovered in the hack may have included classified naval codes and data on missile-guidance systems, as well as other highly valued military data. The attackers also stole tens of thousands of files containing technical research, military maps, U.S. troop configurations, military hardware designs, encryption techniques, and unclassified but crucial data relating to the Pentagon's war-planning. With the information acquired from the attack, the hackers might have been able to cripple US missile defense systems and cause an unimaginable amount of damage.

The Russian government was blamed for the attacks, although there was initially little hard evidence to back up the US accusations besides a Russian IP address that was traced to the hack. Although Moonlight Maze was regarded as an isolated attack for many years, unrelated investigations revealed that the threat actor involved in the attack continued to be active and employ similar methods until as recently as 2016.

It was not until many years later, however, that information would come out linking Turla to Moonlight Maze. A group consisting of Kaspersky's Guerrero-Saade and Costin Raiu, and King's College London's Thomas Rid and Danny Moore was able to track down a retired IT administrator who was the owner of a 1998 server which had been used as a proxy for Moonlight Maze. This was a huge breakthrough considering the long period of presumed inactivity (almost 20 years). They then used the server to spy on the threat actor, and were able to retrieve a complete log of the attackers code, with which after almost a year of thorough analysis, they were able to find a connection between rare Linux samples used by both Turla and Moonlight Maze (the code they shared was related to a backdoor used on LOKI 2, an information tunneling program released in 1996).

Methods of attack
The hackers found success since software manufacturers and maintainers were not vigilant about making sure there were no flaws in their systems. They would leave known vulnerabilities unpatched for long periods of time, sometimes as long as six months to a year, neglecting any security patch cycles. This was because prior to Moonlight Maze, few were aware of the damage that could be done through cyber attacks since the internet was still relatively new. As a result, they were extremely vulnerable and not very difficult to infiltrate, resulting in one of the largest data breaches of classified information in history. In order to conceal their location and throw off investigators, the hackers relayed their connection through various vulnerable institutions like universities, libraries, and more since the servers they hacked could only see the last location they routed through (called proxying).