Welcome to True Spies. Week by week, mission by mission, you'll hear the true stories behind the world's greatest espionage operations. You'll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position?
This is True Spies. Some of this needs to remain sensitive for a lot of reasons. Let me just kind of filter this. There really could be people whose lives are still at risk because of the job they're doing today. This is True Spies. Episode 84, The Moonlight Maze. Some missions are never truly accomplished.
We really should have had our defenses raised prior, but again, this was the first, the first advanced persistent threat to do this kind of operation. Meet Bob Gawley, a former director of intelligence at the Department of Defense. The overall view of the Department of Defense was quickly becoming, this is a hostile nation-state espionage operation.
It's 1999 and Bob has the dubious honor of investigating what many consider to be the very first case of large-scale international cyber espionage. It's a massive interagency operation to hunt down those responsible for the theft of an incomprehensible amount of sensitive information.
scientific and technical information, some of it extremely detailed about our weapon systems, our sensors, our programs, and our scientific research.
An attack vector that was so new, even the highest reaches of the US government weren't quite sure what to do about it. How will you know if the bad guy has penetrated your computer? Well, when you see that they've stopped trying, it probably means that they're in. With no clear enemy to blame, interdepartmental relations within the government would be tested to their limit.
The FBI really got angry and pushed back in a serious way. "You can't say that," they told me. One of the law enforcement people there even told me that this could actually be interfering with an investigation. And if so, you know, I could get in serious trouble by doing this. We had to pursue and press on. Not only was the U.S. government caught off guard, the attack would signal the beginning of a digital game of cat and mouse.
A game that continues to this day. And there have been indications of adversaries targeting me personally and targeting many others. Anybody working in the Department of Defense these days who's connected to the internet needs to be aware that adversaries are targeting your computers at home. And you need to take extreme steps to make it harder on them to accomplish their mission.
And where does a hack of this magnitude start? Washington? The UN? The Pentagon? Not this one. This story begins in Dayton, Ohio. On an uneventful weekend in the summer of 1998, at the Wright-Patterson Air Force Base, which sits on the southern bank of the curiously named Mad River, a government contractor logged on to perform some routine maintenance, and he noticed something strange.
someone else was connecting from their offices to the military compound's systems. Nothing unusual there, you might think. But this was 3 a.m. on a Sunday, and the contractor was performing some routine after-hours maintenance. And he quickly confirmed with the account's owner that it wasn't them, and immediately picked up the phone to alert the military. Meanwhile, Bob was blissfully unaware that he'd soon be thrown into a whole new world of online espionage.
a world a million miles from what he was previously tasked with. I was an operational intelligence officer, a Navy intelligence officer working in the Department of Defense to help understand threats and drive appropriate decisions in response to those threats.
In the mid-1990s, this was really the early days of the internet and we could tell it was going to grow globally. There had been evidence that hostile foreign powers would use their intelligence services to use the internet for themselves to conduct espionage. But so far, that threat was mostly theoretical. We first need to understand the global political changes that were going on at the time.
The fall of the Berlin Wall at the end of the 1980s had sent a signal of hope for the incoming decade. But within a year, the first Gulf War began, bringing with it a new era of hostility, a new precedent, and a new type of fear: terrorism. Between the 1993 attack on the World Trade Center and the Oklahoma bombing in 1995, terrorists had become the new high-profile enemy.
It's perhaps understandable then that the US government's attention wasn't fixed on the emerging technology behind what we now know as the World Wide Web. Not yet, at least. But there had been some warnings. In the early 1980s, there was a hack that involved Star Wars projects. No, not the movie series. Star Wars was the name given to the ambitious Reagan-era nuclear missile defense program.
And the KGB was very cautious, very careful, but encouraged these hackers to provide more information. And eventually taught the KGB that there's something here. And by the mid-90s, there were a lot of other hacks that were kind of proof of concepts, but there had yet to be any large-scale espionage by a nation state yet. Bob should know.
He cut his teeth providing reports on the Soviet Navy during the 80s, when the Cold War was still rumbling on.
Back then, things were a little more old school, should we say. We would get any source of information we could from human, from spies, to satellites, to sensors being placed places, reports from our own ships and submarines, and pull together a picture of this dynamic activity. From an intel perspective, Bob was hopeful that the rise of the internet would usher in a new age of democracy.
We believed that this internet would cause countries to be more transparent and open and put pressure on dictatorships to be more free. In hindsight, we were very naive, but that was the feeling at the time. To be fair to Bob, none of us expected the internet to become the source of division and disinformation that it is today. He saw it as an opportunity to share intelligence between departments on a previously unimaginable scale.
What we needed was a way to move large files and to index those files and to know what images you might want from one of your partner organizations. So the Navy could know what images the Army has and the Marines would know what images the Special Forces have. Advances in the Internet may have been the perfect tool for distributing that intel. But without the usual physical protection – fences, guards and locks – there was a new problem: digital security.
How can you expose that to the good guys without letting the bad guys see it? The short answer: you couldn't. And Bob was about to find himself enlisted to be part of the team to change that. First, a quick jargon briefing for you. If you're a regular listener to True Spies, you'll know that in the world of hacking, a red team plays the role of adversary during simulated attacks.
Then there's SIPRNET. That's a system of interconnected networks used by the U.S. Department of Defense to transmit classified information, an intranet. There was a very famous military exercise called Eligible Receiver 97, where a red team working underneath NSA was able to prove that they could go from the internet and attack the Department of Defense's classified SIPRNET networks.
And they were able to prove beyond a shadow of a doubt that they could interfere with databases, including databases important to military logistics and military health care. They proved that they could change fields in databases like blood types. Think about it. With just a stroke of a keyboard, your military medics could be administering life-threatening transfusions to their own troops.
This is serious stuff and it woke up a lot of people. And bear in mind, this was just a proof of concept. Imagine if they found their way to things like missile codes and nuclear secrets. Almost immediately after the eligible receiver exercise, an order came directly from the Pentagon. Deputy Secretary of Defense John Hammary had called a meeting to see what steps could be taken to improve government network security.
One of the answers? A new tool that claimed to detect when someone was snooping around your computer. Going off my memory, ISS sold a capability called RealSecure, which in this early days was something like a firewall or intrusion detection system that would let you know who is trying to hack you through your network. The problem wasn't that RealSecure didn't work. It was perhaps that it worked too well.
Several months after installing it, Hamry called a meeting to see how things were going. Not well, according to one decorated general in the room. Spotting his chance to air his grievances, he leaned forward and proclaimed that the tool had brought nothing but trouble. Before the arrival of Real Secure, things had appeared just fine. Now, he earnestly complained. He was receiving multiple intruder alerts every day.
You install a device and now you see there's a lot of adversary activity in your network and the wrong kind of leader will say, "Oh, that's a bad thing. Let's take it off my network." The right kind of leader will say, "All right, let's figure out what we can do to stop this adversary activity and reduce the risk that they're giving me by being in my network." Fortunately, not everyone in the meeting felt the same way as the general.
The Eligible Receiver exercise had demonstrated that the US military was vulnerable to attack and that they needed a more robust frontline defense. The real secure technology had merely dialed up the urgency. If it was consistently flagging alerts, any one of those could be a legitimate attack. Something had to be done. Or, as Bob suggested, the right leaders had to be found.
Because of these and many other operations, a joint task force was created, the Joint Task Force for Computer Network Defense. The joint task force was to help defend all Department of Defense computers, all Department of Defense networks. About 6 million computers, about 10,000 networks, so a big job.
You know, just your everyday role. Overseeing 6 million computers and 10,000 networks that hold all the military secrets for the world's biggest superpower. A two-star general was appointed to lead this task force. He reported directly to the Secretary of Defense. Later, he would report to Space Command. This joint task force had intelligence support, and I was that Director of Intelligence.
By now it's December 1998, and Bob gets started on his newly-minted role, ensuring the DoD's computer systems are adequately equipped to fend off attacks. Little did they know, they were already recipients of a highly sophisticated hack.
Another office with inside the Joint Staff J-2 would help the J-2 coordinate in this new world of information warfare. We staffed action officers talked and one of the action officers in that office told me about an investigation called Moonlight Maze, which at the time was being run by the FBI.
A J-2, just so you know, is Department of Defense speak for Director of Intelligence. His colleague told him about the intrusion detected at Wright-Patterson Air Force Base and how the threat was working its way through the entire catalog of government departments. As a fellow intelligence officer, Bob was curious, but eager not to step on any toes. He has six million computers to take care of, remember. This is the first I heard of this Operation Moonlight Maze.
I'll never forget my response when he told me about that. I told him essentially, well, that sounds very important. I'm glad you guys are on that. Essentially saying, look, I'm busy. I'm not going to have anything to do with this. You guys handle it. Those are what are known in the industry as famous last words. The investigation was well underway. There was a task force that had already been stood up with members from the FBI.
Also the Air Force Office of Strategic Investigations, the Navy Criminal Investigation Service, NCIS, Army Counterintelligence, and a couple other Department of Defense agencies were also in support. But this Moonlight Maze Task Force had already been functioning as we were being stood up. Bear in mind that all the while there's an active hack going on and a lot of information to wade through.
And the FBI is taking the lead in the investigation with its own joint task force, one that Bob was about to be invited to join. This new task force meant Bob was officially now one of the guys that are on it. Although he's limited to heading up the Department of Defense's intelligence gathering, so he has to stay in his lane. Taking over this responsibility, we had to review all the information we could get our hands on on Moonlight Mays.
Moonlight Maze had already been under investigation. And those investigators were able to go back further in time, and they believed that the first incidents were really occurring back as far as 1996. Bob and his cohort of government agencies had to face the startling reality that whoever this was had possibly been meddling around in government systems for two years already. From an operational standpoint, they were even further behind their attackers than they had previously thought.
From a security standpoint, who knows what secrets they could have stolen or what mission-critical information they had taken. They had some idea, but it was far from complete. The kind of data that was being looked at was scientific research data primarily. So it was things like data from wind tunnels, data of aircraft design, data from the Army Corps of Engineers
on rivers and the flooding of rivers and other environmental data. Data from the Air Force on things like the total volume of the atmosphere and the total electron count of the atmosphere. Remember, this is just what they knew had been taken. With so much backlog to work through, it was possible they had already reached something far more sensitive.
The eligible receiver exercise had taught them how just one simple edit to a database could put lives at risk. But what if they used the aircraft plans to find a weakness or a way to develop new weapons based on engineering data? Just take a moment to imagine the consequences of an enemy state getting hold of that information.
I recall many other extremely interesting sounding scientific and technology related data that was either defense programs or things collected about defense programs or by defense organizations that was of use to defense programs. The main frustration? They still had no idea who was behind the Moonlight Maze hack.
The DoD's original Joint Task Force, or JTF if you're in the know, really had to up their Computer Network Defense, or CND, game.
Coincidentally, before taking over this position as the first J2 of JTF C&D, I met with several of my mentors, including a retired admiral, Mack Showers, who had been an intelligence officer in World War II. Mack was part of this team of people who ended up contributing the intelligence that really helped win the Battle of Midway, one of the most important battles in naval history.
Matt gave me his views on all source intelligence and the importance of being proactive and creative in doing this. I also met with other mentors before taking this job. They all underscored for me my mission had to be not just sit back and take requirements from my J3, take requirements from my boss.
but to create a mechanism that can drive operations by finding the most operational, actionable intelligence. Let me translate that last line for you. Bob's mentors were telling him to think outside the box. Let the intelligence lead you. Don't just follow orders. With the wisdom of his mentors fresh in his mind, Bob realized that they needed to think differently. So far, the Moonlight Maze investigation has been handled by the FBI.
Bob may have been part of the new task force, but they're basically starting from scratch, barely putting together the tiny shards of evidence they do have.
There were so many incidents as part of this intrusion set, but we were able to develop commonalities as we looked at all of them together. Frequently, the intruder would have actual login credentials, and so they would log in as a remote user, but it wasn't the real user, and we would find out from some other ways. It might be the time of day they were logging in, or the person was on vacation but still logging in.
A few stolen passwords and a broad time window of the hackers' preferred working hours wasn't much, but it was a start. The timestamps from the logs indicated that the hackers tended to operate about nine hours ahead of the US. Bob and his team only had to look at a globe to realize that nine hours ahead of the US would put you neatly in the Middle East or Western Russia. Iran was particularly well-placed, but so was an old friend, Moscow.
There were other tradecraft indicators that were common across all of these intrusion sets. They were attacking the same basic kinds of systems and they were using the same type of tools. Tools that were available to the hacker community. Even back then, people were sharing software, like some people share Netflix passwords. But this organization that was doing these intrusions were always using the same tools because they were so good at them.
And they would carefully clean up after themselves and also how they would move the data to staging computers in a complex global web so that we really couldn't tell where the data was going at first. Slowly, they started to profile their target. But another problem started to emerge. Constant reminders that this was an FBI investigation.
The Bureau would frequently point out that to establish justice was the very foundation of the U.S. Constitution. Bob responded by pointing out the fuller text of the preamble, which says that it is not the only reason the nation was formed. It was also to provide for the common defense, and that was the role of DOD.
Constitution aside, the FBI had recently been embroiled in a campaign finance controversy, with agents claiming they were impeded in their investigation by an attorney in the Department of Justice. Perhaps they were cautious about creating any similar embarrassments. Bob would have to tread carefully if he wanted to avoid a turf war.
Hello, True Spies listener. This episode is made possible with the support of June's Journey, a riveting little caper of a game which you can play right now on your phone. Since you're listening to this show, it's safe to assume you love a good mystery, some compelling detective work,
and a larger-than-life character or two. You can find all of those things in abundance in June's Journey. In the game, you'll play as June Parker, a plucky amateur detective trying to get to the bottom of her sister's murder. It's all set during the roaring 1920s,
And I absolutely love all the little period details packed into this world. I don't want to give too much away because the real fun of June's journey is seeing where this adventure will take you. But I've just reached a part of the story that's set in Paris.
And I'm so excited to get back to it. Like I said, if you love a salacious little mystery, then give it a go. Discover your inner detective when you download June's Journey for free today on iOS and Android. Hello, listeners. This is Anne Bogle, author, blogger, and creator of the podcast, What Should I Read Next? Since 2016, I've been helping readers bring more joy and delight into their reading lives. Every week, I take all things books and reading with a guest and guide them in discovering their next read.
They share three books they love, one book they don't, and what they've been reading lately. And I recommend three titles they may enjoy reading next. Guests have said our conversations are like therapy, troubleshooting issues that have plagued their reading lives for years, and possibly the rest of their lives as well. And of course, recommending books that meet the moment, whether they are looking for deep introspection to spur or encourage a life change, or a frothy page-turner to help them escape the stresses of work, or a book that they've been reading for years.
school, everything. You'll learn something about yourself as a reader, and you'll definitely walk away confident to choose your next read with a whole list of new books and authors to try. So join us each Tuesday for What Should I Read Next? Subscribe now wherever you're listening to this podcast and visit our website, whatshouldireadnextpodcast.com to find out more.
We studied everything we could of what came before us and then started to think as intelligence professionals, not law enforcement professionals. You see, there was a tension here.
The FBI led the law enforcement approach, and their approach at the time was very much collect evidence, collect forensics, investigate, assuming that there could be a criminal case. So you need to maintain chain of custody rules and not let this information leak out and not jump to any conclusions because you have to go where the evidence leads you.
Well, as an intelligence professional, that's very important, but that's not our only methodologies. We can come up with assessments based on who we think might be doing something and then collect information to confirm our assessments or not. So my approach was to look at all of this information, but also look at every possible adversary that could be responsible for this and then do analysis and assessments and collect information to see who it might be.
It was a risky move on Bob's part. On the one hand, he's doing the job required of him, gathering intelligence, but with the FBI leery of any interfering, relationships are strained. If Bob's team did cross a line, there wouldn't just be internal friction. He could risk alerting the media or worse, the enemy to their activities. If he was to consider every possible adversary, he had to do it very carefully.
And he had to be very delicate about keeping the FBI on side. We started calling meetings of the intelligence community. They had been coordinating before, but now there was a two-star general in the Department of Defense, a J2 in this JTF, me, who was able to call meetings and create a new venue to say, we need to know what's happening. Bob is starting to feel frustrated. He has to let the FBI investigation do its thing.
But his instincts are telling him there's more to the story. At least now he has the authority to coordinate interdepartmental information sharing. Remember, his official role is to protect the Department of Defense from this attack. But Bob's gut is telling him this is more than a criminal case.
He just needs to accidentally prove that somehow. And of course, we also invited the law enforcement and counterintelligence community and Department of Defense and the FBI. The FBI, frankly, was not very happy with our approach. Bob's all-source method is not going to sit well with the FBI's evidence-based criminal investigation. The FBI deals in cold, hard facts. Bob and his maybes weren't well received.
Oh, and he might actually even be doing something illegal. According to the FBI, at least. One of the law enforcement people there even told me that this could actually be interfering with an investigation. And if so, you know, I could get in serious trouble by doing this. But it would take a little more than a public ticking off to keep him from following the advice of his mentors.
Bob's experience gathering intelligence on the Russians has taught him that there's always more to the iceberg than what you see above the surface. After several months of investigations, he's acutely aware that every day that passes is giving the hackers more time to steal something truly devastating. His patience with deferring to the FBI is wearing thin.
We had to pursue and press on, however. And the general approach of all law enforcement was, you cannot treat this as a hostile foreign power unless you have evidence that it's a hostile foreign power. Our approach was different. You've seen the movies. Every cigar-smoking detective wants to be the one to catch the crook. In the real world, it's a little more complicated.
It's not just about the glory of busting the bad guy. There are layers and layers of red tape, endlessly documented procedures, and, well, good old garden-variety pride to navigate. If Bob was going to convince the FBI that this isn't a simple criminal matter, but one of national security, he'd need to get a little more creative. And then Bob's team gets a lucky break.
Investigations had identified a server in the UK that was regularly used as a gateway to access the DoD systems. Unbeknownst to the hacker, the investigators have a plan.
Instead of kicking them off the server, why not let them think they're getting the good stuff? The honeypot, a very new technology at the time and very rapidly followed by a honey net. How can you get multiple computers working together to collect information on an adversary who thinks they're hacking a real site? Today, it's a tried and true technique. Use your enemy's greed against them.
For Bob and his team, this was as simple as creating a folder full of files with a suitably tempting name about something they knew the hacker would be interested in. And then expanding that into an entire fake network with plenty more juicy-looking bits of information to steal. They made an even more cunning plan: to embed a virtual beacon into these files, which could periodically signal back to base vital information about the hacker's location.
Bob's team already had the incidental time zone evidence. Now they had the live data from the honeypot, which showed that some connections were coming from an internet provider in Russia. Also, whoever was doing this had tools and talent that you'd only really expect from a government-backed operation. It's almost as if there was a junior team and they would reach a hard spot, then call in the pros who would come in and they would complete the operation.
But they still needed a smoking gun. Days later, one of his colleagues came to him. They found a small clue hidden deep in some encrypted log files. By reverse engineering some of the encrypted commands, he'd found they had originally been written in Cyrillic. But as any true spies listener will know, decoys are a hallmark of good tradecraft, and Bob couldn't rule out the idea that this was another nation trying to throw them off the scent.
Around this point, I went to one of my mentors and in a classified environment briefed him on everything I saw and just asked what he thought. And he suggested to me that I go into the intelligence archives
and look for information that was provided years before, decades before, by a famous spy, Oleg Penkovsky. Penkovsky provided his information to the West in '61, '62, was captured and died a horrible death in '63 because he did not like the communist government and its oppression of the people in the Soviet Union.
Oleg Pinkovsky was a notorious Russian double agent, a true spy, if you will. He's notorious for providing crucial information to the West about the readiness of Russia's weapons in the Caribbean, while also serving as a colonel in the GRU, the USSR's military intelligence agency. Did the words "Cuban Missile Crisis" ring any bells?
Anyway, his intel enabled the US to call Russia's bluff and potentially avoid a nuclear war. Official records say he was shot, but some sources claim he was actually burned alive. The information he provided included insights on how the GRU worked and how it embedded officers in the technology community to acquire information. Specifically,
Penkovsky explained how the USSR often leveraged civilian organizations, like the Soviet Academy of Sciences, to collect information for them. Using the intel from a former Russian agent was unorthodox, to say the least. But in the absence of any hard evidence, even using old GRU techniques was something?
It ended up being a really good tip because it allowed us to tailor our collections to find out what was really happening. Well, very quickly, the prime candidate became the Russian GRU, direct descendant of the Soviet GRU. We knew that they had intentions to operate in cyberspace. We knew that they were investing in that.
We knew from Oleg Pinkovsky's papers of decades before that the GRU was used to working with their scientific community. And if they had information that's technical that they wanted, they'd try to collect it themselves, or they might go to their own technology community and get their scientists to go overseas and go to conferences and bring information back. Well, whoever it was in their network, they definitely had a taste for collecting information.
but he was about to put Pankovsky's insights to the test. Some of this needs to remain sensitive for a lot of reasons. There really could be people whose lives are still at risk because of the job they're doing today. So let me just kind of filter this and say we have information that indicates what Russia wanted when it comes to their intelligence priorities.
and we have information on what the Moonlight Maze hackers were interested in because we would go and interview the organizations that had a server that was hacked.
And the correlation was uncanny and amazing and unique. It was almost an exact match. Things that the Russian government wanted collected by their intelligence services were being collected by the Moonlight Maze attacker. We could not say the same about any other nation. This was not what Iran, Iraq did.
North Korea, China were interested in collecting. This is what Russia was interested in collecting. If it sounds like Bob is holding information back here, that's because he is. This mission may have been decades ago, but many of the details still remain classified. All you need to know is that the intel was clear. Russia is seeking certain information, and that information just happens to perfectly match what the hackers were taking.
Oh, and they had the perfect institution to use as a cover, too, just as Penkovsky said they would.
We also knew that organizations that had worked with the GRU, like the Soviet Academy of Sciences, still existed, but now they were the Russian Academy of Sciences. We also knew that the Russian Academy of Sciences were investing heavily in the Internet and in capabilities to help them just leverage this new technology of the Internet. So that became an operational thesis that we then started collecting information on. And this is where things get a little tricky for Bob.
He's convinced that all the evidence points to Russia. This means he was about to put the cat among the proverbial FBI pigeons. And this did cause tension. It caused tension when I started making an assessment that we have enough information at this point to say it is probably the Russian GRU behind this. You've spotted the problem, haven't you? You can't take a nation to court.
If it really was the Russians, the FBI had effectively been wasting their time. Or, at the very least, they could feel like the Department of Defense had been undermining their case. And sure enough, when Bob delivered his assessment to his superiors, it didn't go down well.
The FBI really got angry and pushed back in a serious way. "You can't say that," they told me. "Are you saying that Russia has conducted an act of war against us by attacking our systems?" I said, "No, I have not said they have conducted an act of war. I have assessed that Russia, the GRU, is conducting an espionage campaign against our networks."
Traditionally, espionage has not been an act of war. But the FBI wasn't going to give up their case without a fight. In what might be considered an incredibly bold move, someone suggested the unthinkable. What if they just asked the Russians directly if they were the perpetrators? This was a risky plan to say the least. Firstly, the Cold War might have been over and relations between the two countries were relatively cordial. But any missteps could unravel years of diplomatic progress.
Secondly, there's a very real risk that, well, I'll let Bob explain. It was not unanimously thought that this would be a good idea because doing this is going to show your hand completely. You will show the GRU what you know if you do this. The Department of Defense did not want this to happen. The Department of Justice wanted this to happen. They won out.
the fbi if you weren't sure comes under the department of justice meaning that the tables had now turned by sending a delegation to russia it's the department of defense's own investigation that's at risk of being exposed and ultimately ruined but to the fbi's credit they had a card to play a crucial bargaining chip with the russian ministry of internal affairs the mvd
There was a unique opportunity at the time for the FBI to ask a favor of the MVD. They had just done a favor for Yeltsin. And they asked, and they were granted permission to send a legal team over to Moscow to conduct a law enforcement investigation, like they would with any other country. While the FBI and some agents from the Department of Defense packed their bags for Moscow, Bob is left to sit on his hands back home.
He knows this is a risky play, but it's the only way they can proceed without igniting an internal spat with the FBI. All he can do now is wait. The FBI led a team over there. It was primarily Department of Defense investigators that went. They went with a lot of knowledge in their head of what these intrusions were and some written information. At first, things seemed to be going well.
The Russians rolled out the red carpet, complete with clear liquor and caviar. The mood was light and spirits were high. The Americans had arrived with copies of all the stolen files. The plan was to confront the Russians with it and catch them on the back foot. But to their surprise, the Russian general who received them was not only cooperative. He came walking in with folders full of log files under his arm that confirmed they were behind the hack.
The US agents were dumbfounded. Until now, the FBI still wasn't convinced that Russia was the attacker, or that they would even acknowledge it if they were. Yet here they are, being presented with the smoking gun they needed. On a silver platter, no less. And this was only day one. For a brief moment, they worried that the general's open admission might have been a bluff. It really did feel too good to be true.
One of our very quick-thinking OSI agents wanted to make sure that there was no kind of deception or a plant involved. OSI, that's the Office of Special Investigations.
And he remembered the exact date and time of another intrusion. So he said, can I see this date? And they turned through the logs and picked up that date and said, yes, it's right here. And sure enough, it matched his recollection of the incident. The Russian MVD cooperated for one day out of this four-day trip. That was the first day. After that, all cooperation stopped and the team was just simply given tours of Moscow.
Put yourself in their position. One minute you're the guest of honor. Sitting at the table with a general hand-delivering would effectively amount to a full confession. Yet the very next day, you're relegated to a tourist, reluctantly wandering the halls at the Bolshoi Theater. They never heard from the general again, and no explanation for the change of plans was ever offered. The delegation packed their bags and returned to Washington, D.C.
My belief is that's because the MVD did not know this was a GRU operation. Once they found out it was a GRU operation, they of course stopped the coordination. In hindsight, the US delegation speculated that sending them on a mystery tour of Russian monuments was a deliberate delay tactic, one that secured the GRU a few days to quietly dismantle its hacking operation.
This, of course, was a bittersweet outcome for Bob. Well, frankly, we have to move fast because now the GRU definitely knows just about everything and knows that we are detecting them and they will be able to assume that we had things like honeypots and that we're watching their methodology. And sure enough, we did move fast.
We pushed as hard as we can to improve our patching and improve our security. We purchased new encryption equipment. We increased our ability to do forensics. We increased our ability to do operational security and increased the manning of our computer emergency response teams. We increased within a very formal way our ability of the intelligence community to support computer network incidents. So we've really upped our game.
It might not be the resolution he had hoped for, but it lit a fire under the Department of Defense that no amount of risk assessment briefings or hacking exercises, like Eligible Receiver, ever could. And, albeit not the ending Bob had wanted, it did mean the end of the years-long hack, sort of. And for a while, for at least a brief moment in time, the Russian activity stopped. We pushed them out of our network.
But you'd be foolish to think this was the end of the matter. As you may remember, some missions are never truly accomplished. Now, that's not the end of the story.
Just like in espionage, you roll up one espionage operation and they're back again soon. And sure enough, these cyber attacks were back very quickly after this. There was a major intrusion set that we attributed to the Chinese, for example. And the Russians came back in much more quiet, sensitive, covert ways. It was even harder to find them the next time.
About a decade later, they got so advanced, they were able to put malicious code on unclassified systems that would replicate itself into classified systems. That same code, traces of it, looked very much like code being used in the Moonlight Maze intrusions. But for Bob, the silver lining was clear. He and his team were able to lay a foundation for cyber defense.
the legacy of which is still felt today. I would say that this marked the beginning of a discipline called cyber threat intelligence. The cyber threat intelligence we generated using these methodologies as part of Moonlight Maze is now an accepted discipline in the cybersecurity community.
Today, threat intelligence informs the actions of governments and organizations across industry. So actionable intelligence on adversary tactics and techniques and tools is really critical, and it came out of this operation. I'm Vanessa Kirby. Here's a taste of next week's exciting brush with True Spies.