Moonlight Maze
The first major nation-state intrusion campaign against the US ran for years in the late 1990s — and code fingerprints from it resurfaced two decades later.
Beginning around 1996 and running through 1999, US investigators tracked a sustained intrusion campaign against Department of Defense networks, the Department of Energy, NASA, defense contractors, and universities. The attackers exfiltrated an enormous volume of unclassified-but-sensitive research material. The investigation was code-named Moonlight Maze.
A campaign before the vocabulary existed
Moonlight Maze predated almost all of the language now used to describe such operations. There was no "APT" acronym, no threat-intelligence industry, no standardized incident-response practice. Investigators traced connections that appeared to route through systems in Russia, but attribution at the time was tentative, politically fraught, and never fully resolved in public.
For years Moonlight Maze remained a half-documented Cold-War-coda story. Then, in 2016, researchers obtained the preserved hard drive of a relay server an old British administrator had kept since the late 1990s. The disk contained the attackers' toolset. Analysis showed a code lineage connecting those 1990s tools to a backdoor called Penquin Turla — still in use by a contemporary Russian-attributed group two decades later.
What the chronicle remembers
Moonlight Maze is the earliest large-scale nation-state cyber-espionage campaign against the United States on record, and the case that demonstrated operational continuity across decades. The 2017 forensic link proved that intrusion tooling, and the institutions that build it, can persist far longer than any single incident — and that an old hard drive in a closet can rewrite an attribution twenty years late.