EPISODE 84

MOONLIGHT MAZE

MOONLIGHT MAZE

It’s 1999 and Bob Gourley is investigating what many consider to be the first ever case of large-scale, international cyber espionage. It would take a massive, inter-agency operation to hunt down those responsible for stealing an incomprehensible amount of sensitive US information. That’s when it got personal, and Bob and his team became targets themselves.
Read the transcript →

NARRATOR: Welcome to True Spies. Week by week, mission by mission, you’ll hear the true stories behind the world’s greatest espionage operations. You’ll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position? This is True Spies, Episode 84: The Moonlight Maze.

BOB GOURLEY: Some of this needs to remain sensitive for a lot of reasons. There really could be people whose lives are still at risk because of the job they're doing today. 

NARRATOR: Some missions are never truly accomplished.

BOB GOURLEY: We really should have had our defenses raised prior. But again, this was the first advanced persistent threat to do this kind of operation.

NARRATOR: Meet Bob Gourley, a former director of intelligence at the Department of Defense. The overall view of the Department of Defense was quickly becoming: “This is a hostile nation-state espionage operation.” It’s 1999, and Bob has the dubious honor of investigating what many consider to be the very first case of large-scale, international cyber-espionage. It’s a massive, inter-agency operation to hunt down those responsible for the theft of an incomprehensible amount of sensitive information.

BOB GOURLEY: Scientific and technical information, some of it extremely detailed, about our weapon systems, our sensors, our programs, and our scientific research.

NARRATOR: An attack vector that was so new, even the highest reaches of the US government weren’t quite sure what to do about it.

BOB GOURLEY: How will you know if the bad guy has penetrated your computer? Well, when you see that they've stopped trying, it probably means that they're in.

NARRATOR: With no clear enemy to blame, inter-departmental relations within the government would be tested to their limit.

BOB GOURLEY: The FBI really got angry and pushed back in a serious way. “You can't say that,” they told me. One of the law enforcement people there even told me that this could actually be interfering with an investigation. And, if so, I could get in serious trouble by doing this. We had to press on and pursue, however.

NARRATOR: Not only was the US government caught off guard, but the attack would also signal the beginning of a digital game of cat and mouse - a game that continues to this day.

BOB GOURLEY: And there have been indications of adversaries targeting me personally, and targeting many others. Anybody working in the Department of Defense these days who is connected to the internet needs to be aware that adversaries are targeting your computers at home, and you need to take extreme steps to make it hard on them to accomplish their mission. 

NARRATOR: And where does a hack of this magnitude start? Washington? The UN? The Pentagon? Not this one. This story begins in Dayton, Ohio. On an uneventful weekend in the summer of 1998, at the Wright-Patterson Air Force Base which sits on the southern bank of the curiously-named Mad River. A government contractor logged on to perform some routine maintenance and he noticed something strange. Someone else was connecting from their offices to the military compound’s systems. Nothing unusual there, you might think. But this was 3 am on a Sunday and the contractor was performing some routine, after-hours maintenance. The contractor quickly confirmed with the account’s owner that it wasn’t them and immediately picked up the phone to alert the military. Meanwhile, Bob was blissfully unaware that he’d soon be thrown into a whole new world of online espionage. A world a million miles from what he was previously tasked with.

BOB GOURLEY: I was an operational intelligence officer, a Navy intelligence officer, working in the Department of Defense, to help understand threats and help drive appropriate decisions in response to those threats. In the mid-1990s, this was really the early days of the internet and we could tell it was going to grow globally. There had been evidence that hostile foreign powers would use their intelligence services to use the internet for themselves to conduct espionage.

NARRATOR: But so far, that threat was mostly theoretical. To understand exactly how new this type of attack was, we first need to understand the global political changes that were going on at the time. The fall of the Berlin Wall at the end of the 1980s had sent a signal of hope for the incoming decade. But, within a year, the first Gulf War began, bringing with it a new era of hostility, a new president, and a new type of fear terrorism. Between the 1993 attack on the World Trade Center and the Oklahoma bombing in 1995, terrorists had become the new high-profile enemy. It’s perhaps understandable, then, that the US government’s attention wasn’t fixed on the emerging technology behind what we now know as the World Wide Web. Not yet, at least. But there had been some warnings.

BOB GOURLEY: In the early 1980s, there was a hack that involved Star Wars projects. 

NARRATOR: No, not the movie series. ‘Star Wars’ was the name given to the ambitious, Reagan-era nuclear missile defense program. And the KGB was very cautious, very careful, but encouraged these hackers to provide more information, and eventually taught the KGB that there's something here. And by the mid-90s, there were a lot of other hacks that were kind of proof of concepts. But there had yet to be any large-scale espionage by a nation-state - yet.

NARRATOR: Bob should know. He cut his teeth providing reports on the Soviet Navy during the 80s when the Cold War was still rumbling on. Back then, things were a little more ‘old school’ shall we say. 

BOB GOURLEY: We would get any source of information we could - from humans, from spies to satellites, the sensors being placed, reports from our own ships and submarines - and we pulled together a picture of this dynamic activity. 

NARRATOR: From an intel perspective, Bob was hopeful that the rise of the internet would usher in a new age of democracy.

BOB GOURLEY: We believed that this internet would cause countries to be more transparent and open and put pressure on dictatorships to be more free. In hindsight, we were very naive. But that was the feeling at the time.

NARRATOR: To be fair to Bob, none of us expected the internet to become the source of division and disinformation that it is today. He saw it as an opportunity to share intelligence between departments on a previously unimaginable scale.

BOB GOURLEY: What we needed was a way to move large files, and index those files, and know what images you might want from one of your partner organizations. So the Navy could know what images the Army has, and the Marines would know what images the Special Forces have. 

NARRATOR: Advances in the internet may have been the perfect tool for distributing that intel, but without the usual physical protection - fences, guards, and locks - there was a new problem: digital security. 

BOB GOURLEY: How can you expose that to the good guys without letting the bad guys see it?

NARRATOR: The short answer? You couldn’t. And Bob was about to find himself enlisted to be part of the team to change that. First, a quick jargon briefing for you. If you’re a regular listener to True Spies you’ll know that in the world of hacking a ‘red’ team plays the role of adversary during simulated attacks. Then there’s SIPRnet. [Secret Internet Protocol Router Network]. That’s a system of interconnected networks used by the US Department of Defense to transmit classified information. An intranet.

BOB GOURLEY: There was a very famous military exercise called Eligible Receiver 97 where a red team working underneath NSA was able to prove that they could go from the internet and attack the Department of Defense's classified SIPRnet networks. And they were able to prove, beyond a shadow of a doubt, that they could interfere with databases, including databases important to military logistics and military healthcare. They proved that they could change fields in databases like blood types. 

NARRATOR: Think about it. With just a stroke of a keyboard, your military medics could be administering life-threatening transfusions to their own troops. This is serious stuff, and it woke up a lot of people. And bear in mind that this was just a proof of concept. Imagine if they found their way to things like missile codes and nuclear secrets? Almost immediately after the Eligible Receiver exercise, an order came directly from the Pentagon. Deputy Secretary of Defense John Hamre had called a meeting to see what steps could be taken to improve government network security. One of the answers? A new tool that claimed to detect when someone was snooping around your computer. 

BOB GOURLEY: Going off my memory, ISS sold a capability called RealSecure, which in these early days was something like a firewall or intrusion detection system that would let you know who is trying to hack you through your network. 

NARRATOR: The problem wasn’t that RealSecure didn’t work. It was perhaps that it worked too well. Several months after installing it, Hamre called a meeting to see how things were going. Not well, according to one decorated general in the room. Spotting his chance to air his grievances, he leaned forward and proclaimed that the tool had brought nothing but trouble. Before the arrival of RealSecure, things had appeared just fine. Now, he earnestly complained, he was receiving multiple intruder alerts every day.

BOB GOURLEY: You install a device and now you see there's a lot of adversary activity in your network. And the wrong kind of leader will say: “Oh, that's a bad thing. Let's take it off my network.” The right kind of leader will say: “Alright, let's figure out what we can do to stop this adversary activity and reduce the risk that they're giving me by being in my network.”

NARRATOR: Fortunately, not everyone in the meeting felt the same way as the general. The Eligible Receiver exercise had demonstrated that the US military was vulnerable to attack and that they needed a more robust frontline defense. The RealSecure technology had merely dialed up the urgency. If it was consistently flagging alerts, any one of those could be a legitimate attack. Something had to be done. Or, as Bob suggested, the right leaders had to be found.

BOB GOURLEY: Because of these and many other operations, a joint task force was created - the Joint Task Force for Computer Network Defense. The joint task force was to help defend all Department of Defense computers, all Department of Defense networks, about 6m computers, about 10,000 networks - so a big job.

NARRATOR: You know, just your everyday role, overseeing 6m computers and 10,000 networks that hold all the military secrets for the world’s biggest superpower. 

BOB GOURLEY: A two-star general was appointed to lead this task force. He reported directly to the Secretary of Defense. Later, he would report to Space Command. This joint task force had intelligence support, and I was that director of intelligence. 

NARRATOR: By now, it’s December 1998, and Bob gets started on his newly-minted role ensuring the DoD’s computer systems are adequately equipped to fend off attacks. Little did they know, they were already recipients of a highly sophisticated hack.

BOB GOURLEY: Another office was inside the Joint Staff J2, which would help the J2 coordinate in this new world of information warfare. We staff action officers talked and one of the action officers in that office told me about an investigation called Moonlight Maze, which at the time was being run by the FBI.

NARRATOR: A J2, just so you know, is Department-of-Defense-speak for Director of Intelligence. His colleague told him about the intrusion detected at Wright Patterson Air Force base and how the threat was working its way through the entire catalog of government departments. As a fellow intelligence officer, Bob was curious but eager not to step on any toes. He has 6m computers to take care of, remember.

BOB GOURLEY: This is the first I heard of this Operation Moonlight Maze. I'll never forget my response when he told me about that. I told him, essentially, well: “That sounds very important. I'm glad you guys are on that.” Essentially saying: “Look, I'm busy. I'm not going to have anything to do with this. You guys handle it.”

NARRATOR: Those are what are known in the industry as 'famous last words’.

BOB GOURLEY: So the investigation was well underway. There was a task force that had already been stood up with members from the FBI, but also the Air Force, Office of Strategic Investigations, the Navy Criminal Investigative Service (NCIS), Army counterintelligence, and a couple of other Department of Defense agencies were also in support. But this Moonlight Maze Task Force had already been functioning as we were being stood up.

NARRATOR: Bear in mind, that all the while there’s an active hack going on, and a lot of information to wade through. And the FBI is taking the lead in the investigation with its own joint task force - one that Bob was about to be invited to join. This new task force meant Bob was officially now one of the ‘guys that are on it’ although he’s limited to heading up the Department of Defense’s intelligence gathering, so he has to stay in his lane.

BOB GOURLEY: Taking over this responsibility, we had to review all the information we could get our hands on (from) Moonlight Maze. 

BOB GOURLEY: Moonlight Maze had already been under investigation. And those investigators were able to go back further in time. And they believe that the first incidents were really occurring back as far as 1996. 

NARRATOR: 1996? Bob and his cohort of government agencies had to face the startling reality that, whoever this was, had possibly been meddling around in government systems for two years already. From an operational standpoint, they were even further behind their attackers than they had previously thought. From a security standpoint... Who knows what secrets they could have stolen or what mission-critical information they had taken? They had some idea, but it was far from complete.

BOB GOURLEY: The kind of data that was being looked at was scientific research data, primarily. So it was things like data from wind tunnels, data of aircraft design, data from the Army Corps of Engineers, on rivers, and the flooding of rivers, and other environmental data, data from the Air Force on things like the total volume of the atmosphere, and the total electron count of the atmosphere. 

NARRATOR: Remember, this is just what they knew had been taken. With so much backlog to work through it was possible they had already reached something far more sensitive. The Eligible Receiver exercise had taught them how just one simple edit to a database could put lives at risk. But what if they used the aircraft plans to find a weakness or a way to develop new weapons based on engineering data? Just take a moment to imagine the consequences of an enemy state getting hold of that information.

BOB GOURLEY: And I recall many other extremely interesting-sounding scientific and technology-related data that were either defense programs, or things collected about defense programs, or by defense organizations that were of use to defense programs. 

NARRATOR: The main frustration? They still had no idea who was behind the Moonlight Maze hack. The DoD’s original joint task force, or JTF if you’re in the know, really had to up their Computer Network Defense - or C.N.D. - game.

BOB GOURLEY: Coincidentally, before taking over this position as the first J2 of JTF CND, I met with several of my mentors including a retired Admiral, Mac Showers, who had been an intelligence officer in World War II. Mac was part of this team of people who ended up contributing the intelligence that really helped win the Battle of Midway, one of the most important battles in Naval history. Mac gave me his views on all-source intelligence and the importance of being proactive and creative and doing this. I also met with other mentors before taking this job. 

BOB GOURLEY: They all underscore for me, my mission had to be not just sit back and take requirements from my J3, take requirements from my boss, but to create a mechanism that can drive operations by finding the most operational actionable intelligence. 

NARRATOR: Let me translate that last line for you: Bob’s mentors were telling him to think outside the box. Let the intelligence lead you. Don’t just follow orders. With the wisdom of his mentors fresh in his mind, Bob realized that they needed to think differently. So far, the Moonlight Maze investigation has been handled by the FBI. Bob may have been part of the new task force, but they’re basically starting from scratch, barely putting together the tiny shards of evidence they do have. 

BOB GOURLEY: You know, there were so many incidents as part of this intrusion set. But we were able to develop commonalities as we looked at all of them together. Frequently, the intruder would have actual login credentials. And so, they would log in as a remote user. But it wasn't the real user. And we would find out from some other ways it might be the time of day they were logging in, or the person was on vacation, but still logging in.

NARRATOR: A few stolen passwords and a broad time window of the hackers’ preferred working hours wasn’t much, but it was a start. The timestamps from the logs indicated that the hackers tended to operate about nine hours ahead of the US. Bob and his team only had to look at a globe to realize that nine hours ahead of the US would neatly put you in the Middle East or Western Russia. Iran was particularly well placed, but so was an old friend: Moscow.

BOB GOURLEY: There were other tradecraft indicators that were common across all of these intrusion sets. They were attacking the same basic kinds of systems. And they were using the same type of tools, tools that were available to the hacker community. 

NARRATOR: Yep, even back then people were sharing software like some people share Netflix passwords. 

BOB GOURLEY: But this organization that was doing these intrusions were always using the same tools because they were so good at them. And they would carefully clean up after themselves, and also how they would move the data to stage computers in a complex global web. So we really couldn't tell where the data was going at first.

NARRATOR: Slowly, they started to profile their target. But another problem started to emerge. Constant reminders that this was an FBI investigation. The Bureau would frequently point out that to ‘establish justice’ was the very foundation of the US Constitution. Bob responded by pointing out the fuller text of the preamble, which says that is not the only reason the nation was formed, it was also to ‘provide for the common defense’ and that was the role of DoD. Constitution aside, the FBI had recently been embroiled in a campaign finance controversy with agents claiming they were impeded in their investigation by an attorney in the Department of Justice. Perhaps they were cautious about creating any similar embarrassments? Bob would have to tread carefully if he wanted to avoid a turf war.

BOB GOURLEY: We studied everything we could of what came before us, and then started to think as intelligence professionals, not law enforcement professionals. You see, there was tension here. The FBI led the law enforcement approach and their approach at the time was very much to collect evidence, collect forensics, investigate, assuming that there could be a criminal case. So you need to maintain ‘chain of custody’ rules and not let this information leak out, and not jump to any conclusions because you have to go where the evidence leads you. Well, as an intelligence professional, that's very important, but that's not our only methodologies. We can come up with assessments based on who we think might be doing something, and then collect information to confirm our assessments or not. So my approach was to look at all of this information, but also look at every possible adversary that could be responsible for this, and then do analysis and assessments and collect information to see who it might be.

NARRATOR: It was a risky move on Bob’s part. On the one hand, he’s doing the job required of him: gathering intelligence. But with the FBI leery of any interfering, relationships are strained. If Bob’s team did cross a line, there wouldn’t just be internal friction, it could risk alerting the media or worse, the enemy, to their activities. If he was to consider every possible adversary, he had to do it very carefully. And he had to be very delicate about keeping the FBI onside.

BOB GOURLEY: We started calling meetings of the intelligence community. They had been coordinating before, but now there was a two-star general in the Department of Defense, a J2 in this JTF (me), who was able to call meetings and create a new venue to say: “We need to know what's happening.” 

NARRATOR: Bob is starting to feel frustrated. He has to let the FBI investigation do its thing, but his instincts are telling him there’s more to the story. At least now he has the authority to coordinate interdepartmental information sharing. Remember, his official role is to protect the Department of Defense from this attack. But Bob’s gut is telling him this is more than a criminal case. He just needs to ‘accidentally’ prove that somehow.

BOB GOURLEY: And of course, we also invited the law enforcement and counterintelligence community and Department of Defense, and the FBI. The FBI, frankly, was not very happy with our approach. 

NARRATOR: Bob’s 'all source' method is not going to sit well with the FBI’s evidence-based criminal investigation. The FBI deals in cold, hard facts. Bob and his ‘maybe’s’ weren’t well received. Oh, and he might actually even be doing something illegal - according to the FBI at least.

BOB GOURLEY: And one of the law enforcement people there even told me that this could actually be interfering with an investigation. And if so I could get in serious trouble by doing this. 

NARRATOR: But it would take a little more than a public ticking off to keep him from following the advice of his mentors. Bob’s experience gathering intelligence on the Russians has taught him that there’s always more to the iceberg than what you see above the surface. After several months of investigations, he’s acutely aware that every day that passes is giving the hackers more time to steal something truly devastating. His patience with deferring to the FBI is wearing thin.

BOB GOURLEY: We had to pursue and press on, however, and the general approach of all law enforcement was: “You cannot treat this as a hostile foreign power unless you have evidence that it's a hostile foreign power.” Our approach was different. 

NARRATOR: You’ve seen the movies. Every cigar-smoking detective wants to be the one to catch the crook. In the real world, it’s a little more complicated. It’s not just about the glory of busting the bad guy, there are layers and layers of red tape, endlessly documented procedures and well... good old garden-variety pride to navigate. If Bob was going to convince the FBI that this isn’t a simple criminal matter, but one of national security, he’d need to get a little more creative. And then Bob’s team gets a lucky break. Investigations had identified a server in the UK that was regularly used as a gateway to access the DoD systems. Unbeknown to the hacker, the investigators have a plan. Instead of kicking them off the server, why not let them think they’re getting the good stuff?

BOB GOURLEY: The honeypot. Very new technology at the time and very rapidly followed by a honeynet. How can you get multiple computers working together to collect information on an adversary who thinks they're hacking a real site?

NARRATOR: Today, it’s a tried and true technique. Use your enemy’s greed against them. For Bob and his team, this was as simple as creating a folder full of files with a suitably tempting name about something they knew the hacker would be interested in. And then, expanding that into an entire fake network with plenty more juicy-looking bits of information to steal. They made an even more cunning plan: to embed a virtual ‘beacon’ into these files which could periodically signal back to base vital information about the hacker’s location. Bob’s team already had the incidental timezone evidence. Now they had the live data from the honeypot which showed that some connections were coming from an internet provider in Russia. Also, whoever was doing this had tools and talent that you’d only really expect from a government-backed operation.

BOB GOURLEY: It's almost as if there was a junior team and they would reach a hard spot. And they would then call in the pros who would come in and they would complete the operation. 

NARRATOR: But they still needed a smoking gun. Days later, one of his colleagues came to him. They’d found a small clue hidden deep in some encrypted log files. By reverse-engineering some of the encrypted commands, he’d found they had originally been written in Cyrillic. Hmmm. But as any True Spies listener will know, decoys are a hallmark of good tradecraft and Bob couldn’t rule out the idea that this was another nation trying to throw them off the scent. 

BOB GOURLEY: It was around this point, I went to one of my mentors and in a classified environment briefed him on everything I saw and just asked what he thought. And he suggested to me that I go into the intelligence archives, and look for information that was provided years before, decades before by a famous spy, Oleg Penkovsky. Penkovsky provided his information to the west in ‘61-’62, was captured and died a horrible death in ‘63, because he did not like the communist government in its oppression of the people in the Soviet Union.

NARRATOR: Oleg Penkovsky, spy fans, was a notorious Russian double agent. A True Spy if you will. He’s notorious for providing crucial information to the West about the readiness of Russia’s weapons in the Caribbean, while also serving as a colonel in the GRU - the USSR’s Military Intelligence agency. Do the words ‘Cuban Missile Crisis’ ring any bells? Anyway, his intel enabled the US to call Russia’s bluff and potentially avoid a nuclear war. His 'horrible' death? Official records say he was shot, but some sources claim he was actually burned alive. 

BOB GOURLEY: The information he provided included insights on how the GRU worked, and how it embedded officers in the technology community to acquire information. 

NARRATOR: Specifically, Penkovsky explained how the USSR often leveraged civilian organizations, like the Soviet Academy of Sciences, to collect information for them. Using the intel from a former Russian agent was unorthodox, to say the least. But in the absence of any hard evidence, even using old GRU techniques was something.

BOB GOURLEY: It ended up being a really good tip. It allowed us to tailor our collections to find out what was really happening. Well, very quickly, the prime candidate became the Russian GRU, a direct descendant of the Soviet GRU. We knew that they had intentions to operate in cyberspace. We knew that they were investing in that. We knew from Oleg Penkovsky’s papers, of decades before, that the GRU was used to working with their scientific community. And if they had information that's technical that they wanted, they tried to collect it themselves or they might go to their own technology community and get their scientists to go overseas and go to conferences and bring information back.

NARRATOR: Well, whoever it was in their network, they definitely had a taste for collecting information. But he was about to put Penkovsky’s insights to the test.

BOB GOURLEY: Some of this needs to remain sensitive for a lot of reasons. There really could be people whose lives are still at risk because of the job they're doing today. So let me just kind of filter this and say we have information that indicates what Russia wanted when it comes to their intelligence priorities. And we have information on what the Moonlight Maze hackers were interested in because we would go and interview the organizations that had a server that was hacked. And the correlation was uncanny and amazing and unique. It was almost an exact match. Things that the Russian government wanted to be collected by their intelligence services were being collected by the Moonlight Maze attacker. We could not say the same about any other nation. This was not what Iran, Iraq, North Korea, China, were interested in collecting. This is what Russia was interested in collecting.

NARRATOR: If it sounds like Bob is holding information back here, that’s because he is. This mission may have been decades ago, but many of the details still remain classified. All you need to know is that the intel was clear: Russia is seeking certain information and that information just happens to perfectly match what the hackers were taking. Oh, and they had the perfect institution to use as a cover, too, just as Penkovsky said they would.

BOB GOURLEY: We also knew that organizations that had worked with the GRU, like the Soviet Academy of Sciences, still existed, but now they were the Russian Academy of Sciences. We also knew that the Russian Academy of Sciences was investing heavily in the internet and in capabilities to help them just leverage this new technology of the internet. So that became an operational thesis that we then started collecting information on.

NARRATOR: And this is where things get a little tricky for Bob. He’s convinced that all the evidence points to Russia. This meant he was about to put the cat among the proverbial FBI 'pigeons'. 

BOB GOURLEY: And this did cause tension. It caused tension when I started making an assessment that we have enough information at this point to say it is probably the Russian GRU behind this.

NARRATOR: You’ve spotted the problem, haven’t you? You can’t take a nation to court. If it really was the Russians, the FBI had effectively been wasting their time. Or at the very least, they could feel like the Department of Defense had been undermining their case. And sure enough, when Bob delivered his assessment to his superiors, it didn’t go down well.

BOB GOURLEY: The FBI really got angry and pushed back in a serious way. “You can't say that,” they told me. “Are you saying that Russia has conducted an act of war against us by attacking our systems?” I said, “No, I have not said they have conducted an act of war. I've assessed that Russia, the GRU, is conducting an espionage campaign against our networks.” Traditionally, espionage has not been an act of war.

NARRATOR: But the FBI wasn’t going to give up their case without a fight. In what might be considered an incredibly bold move, someone suggested the unthinkable: What if they just asked the Russians directly if they were the perpetrators? This was a risky plan, to say the least. Firstly, the Cold War might have been over, and relations between the two countries were relatively cordial, but any missteps could unravel years of diplomatic progress. Secondly, there’s a very real risk that... Well, I’ll let Bob explain.

BOB GOURLEY: It was not unanimously thought that this would be a good idea because doing this is going to show your hand completely. You will show the GRU what you know if you do this. The Department of Defense did not want this to happen. The Department of Justice wanted this to happen. They went out. 

NARRATOR: The FBI, if you weren’t sure, comes under the Department of Justice. Meaning that the tables had now turned. By sending a delegation to Russia, it’s the Department of Defense’s own investigation that’s at risk of being exposed and, ultimately, ruined. But to the FBI’s credit, they had a card to play, a crucial bargaining chip with the Russian Ministry of Internal affairs - the MVD.

BOB GOURLEY: There was a unique opportunity at the time for the FBI to ask a favor of the MVD. They had just done a favor for Yeltsin. And they asked, and they were granted permission to send a legal team over to Moscow to conduct a law enforcement investigation like they would with any other country. 

NARRATOR: While the FBI and some agents from the Department of Defense packed their bags for Moscow, Bob is left to sit on his hands back home. He knows this is a risky play, but it’s the only way they can proceed without igniting an internal spat with the FBI. All he can do now is wait.

BOB GOURLEY: The FBI led a team over there. It was primarily Department of Defense investigators that went. They went with a lot of knowledge in their head of what these intrusions were, and some written information.

NARRATOR: At first, things seemed to be going well. The Russians rolled out the red carpet complete with clear liquor and caviar. The mood was light and spirits were high. The Americans had arrived with copies of all the stolen files. The plan was to confront the Russians with it and catch them on the back foot. But to their surprise, the Russian general who received them was not only cooperative, he came walking in with folders full of log files under his arm that confirmed they were behind the hack. The US agents were dumbfounded. Until now, the FBI still wasn’t convinced that Russia was the attacker, or that they would even acknowledge it if they were. Yet, here they were being presented with the smoking gun they needed - on a silver platter no less. And this was only day one. What other insights might they gain in the following days?

BOB GOURLEY: The Russian MVD cooperated for one day out of this four-day trip. That was the first day. After that, all cooperation stopped and the team was just simply given tours of Moscow.

NARRATOR: Put yourself in their position. One minute you’re the guest of honor, sitting at the table with a general hand-delivering what effectively amounts to a full confession. Yet, the very next day you’re relegated to a tourist, reluctantly wandering the halls of the Bolshoi Theater. They never heard from the general again and no explanation for the change of plans was ever offered. The delegation packed their bags and returned to Washington D.C.

BOB GOURLEY: My belief is that's because the MVD did not know this was a GRU operation. Once they found out it was a GRU operation they, of course, stopped the coordination. 

NARRATOR: For a brief moment, they worried that the general’s open admission might have been a bluff. It really did feel too good to be true. 

BOB GOURLEY: One of our very quick-thinking OSI agents wanted to make sure that there was no kind of deception or a plant involved. 

NARRATOR: OSI? That’s the Office of Special Investigations. And he remembered the exact date and time of another intrusion. So he said: “Can I see this date?” And they turned through the logs and picked up that date and said: “Yes, it's right here.” And sure enough, it matched his recollection of the incident. 

NARRATOR: In hindsight, the US delegation speculated that sending them on a mystery tour of Russian monuments was a deliberate delay tactic. One that secured the GRU a few days to quietly dismantle its hacking operation. This, of course, was a bittersweet outcome for Bob. 

BOB GOURLEY: Well, frankly, we have to move fast because now the GRU definitely knows just about everything and knows that we are detecting them. And they will be able to assume that we had things like honeypots and that we're watching their methodology. And sure enough, we did move fast. We pushed as hard as we could to improve our patching and improve our security. We purchased new encryption equipment. We increased our ability to do forensics. We increased our ability to do operational security, and increased the manning of our computer emergency response teams. We increased, within a very formal way, our ability of the intelligence community to support computer network incidents. So we've really upped our game. 

NARRATOR: It might not be the resolution he had hoped for, but it lit a fire under the Department of Defense that no amount of risk assessment briefings or hacking exercises like Eligible Receiver ever could. And, albeit not the ending Bob had wanted, it did mean the end of the years-long hack. Sort of.

BOB GOURLEY: And for a while, for at least a brief moment in time, the Russian activity stopped. We pushed them out of our network.

NARRATOR: But you’d be foolish to think this was the end of the matter. As you may remember, some missions are never truly accomplished.

BOB GOURLEY: Now, that’s not the end of the story. Just like in espionage, you roll up one espionage operation, and they're back again soon. And sure enough, the cyber attacks were back. Very quickly after this, there was a major intrusion set that we attributed to the Chinese, for example. And the Russians came back in much more quiet sensitive covert ways. It was even harder to find them the next time. About a decade later, they got so advanced, they were able to put malicious code on unclassified systems that would replicate itself into classified systems. That same code, traces of it, looked very much like code being used in the Moonlight Maze intrusions, by the way.

NARRATOR: But for Bob, the silver lining was clear. He and his team were able to lay a foundation for cyber defense, the legacy of which is still felt today. 

BOB GOURLEY: I would say that this marked the beginning of a discipline called cyber threat intelligence. The cyber threat intelligence we generated, using these methodologies as part of Moonlight Maze, is now an accepted discipline in the cybersecurity community. Today, threat intelligence informs the actions of governments and organizations across the industry. So actionable intelligence on adversary tactics and techniques and tools is really critical and it came out of this operation.

NARRATOR: I'm Vanessa Kirby.


Guest Bio

Cyber intelligence pioneer Bob Gourley was the director of intelligence at the DoD's first cyber command, and would later be appointed as the chief technology officer at the Defense Intelligence Agency. Today Bob is a SPYEX consultant and the chief technology officer at OODA, providing cybersecurity support to companies and organizations.

No items found.
No items found.