The artifacts they found on Hedges’ server provide an interesting look at the group’s early operations, showing how they improved their code and methods over time, if indeed they are the group now known as Turla.
“It’s almost like archaeology; you can see the evolution of tradecraft,” Rid told Motherboard. “There was a lot of handiwork involved. They didn’t really use automated command-and-control at the time; they actually had to log in and move data around [manually].”
The Moonlight Maze group stripped away components that didn’t work and combined tools that did to make them more potent. And unlike modern hacking operations that use a lot of automated scripts, the Moonlight Maze operators did everything in real time. They would log-in to Hedges’ server in the morning and manually set up tasks to tell their malware what to do, which got populated out to all the infected machines on DoD and government networks that they controlled.
“This is hacking in the 90s, so it looks very different from what we’re used to in modern operations,” Guerrero-Saade said.