Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, 11 May 2023, 11:29 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Five Eyes, NATO, Take Down Snake P2P Cyber-espionage Network

Multiple agencies around the Western world have announced the dismantling of a massive peer-to-peer spyware network which has been operated for the last 20 years by the Russian FSB (Federal Security Service). The Snake malware was operated by the FSB's Center 16, better known as the APT group Turla or Venomous Bear, and has been detected in over 50 countries across North and South America, Europe, Africa, Asia and Australia, infecting systems in education, media and small businesses to act as relay nodes for encrypted traffic while the main targets for information-gathering implants were government networks, research facilities and journalists as well as some critical infrastructure sectors (government, financial services, critical manufacturing and telecommunications).

Snake is probably the most sophisticated cyber-espionage tool in the FSB's arsenal; it is extremely stealthy - both in the way it infects systems and in its obfuscated communications - and has an extremely elegant modular architecture which allows development and interoperability of new and updated components across multiple operating system platforms. It also demonstrates high-quality software engineering design and implementation, containing surprisingly few bugs given its complexity.

Development of Snake began in late 2003, with initial operations conducted in 2004; its initial name, "Urobouros", is particularly appropriate as since then it has undergone many cycles of redevelopment and upgrade. It is run from an FSB facility in Ryazan, Russia - as indicated by activity increasing during working hours there - as well as from an FSB Center 16-occupied building in Moscow. Over the last 20 years, however, various agencies have been monitoring its operations and collecting samples and have seen it evolve and spin off a range of other implants and related tools such as Carbon (a.k.a. Cobra) and another implant called ComRAT or Chinch.

As cybersecurity and incident response companies have reported on Snake's tactics, techniques and procedures (TTP's), so its developers have implemented new techniques to evade detection, such as fragmenting and encrypting its network traffic, making it challenging for intrusion detection systems - both host- and network-based - to spot.

The FSB operators typically obtain initial access to external-facing infrastructure nodes on a network, and from there pivot to the internal network, using  other tools and TTP's to conduct additional exploitation operations. After establishing a foothold on a target network, they typically enumerate the network and use a variety of tools such as keyloggers and network sniffers to obtain user and administrator credentials and access domain controllers, as well as spreading laterally to other networks.

After mapping out a network and getting admin credentials for various domains, the operators generally commence regular data collection operations, mostly using lightweight remote-access tools. They sometimes deploy a small remote reverse shell to enable interactive operations and function as a backup access vector, maintaining a minimal presence while avoiding detection.

The main heavyweight implant comprises stacks of loosely-coupled components which connect via well-designed interfaces; for example its network protocols separate its encryption layer from its transport layer, which could be its custom HTTP protocol or its raw TCP socket protocol. This way, the operators can choose the best network transport protocol to fit into the target environment without detection, yet still preserve the full functionality of the implant, as all the other layers, right up to its command processing code - the 'application' layer - are completely agnostic to what transport is used.

Despite being implemented in the C programming language, the code exhibits very few of the memory management and other bugs common to development in that language, as well as selection of good algorithms. This not to say that it is perfect, however, and a basic error - creating a prime number of only 128 bits in size - signficantly weakened the Diffie-Hellman key agreement component of its encryption layer, while rushed deployment led developers to sometimes compile and link its binaries with debugging symbol tables included - allowing researchers to identify function names, strings and developer comments, thereby gaining insights into its communications protocols and inner workings.

From this initial foothold, various agencies were able to monitor Snake, decrypting and decoding its C2 communications. Ultimately the FBI was able to develop a tool called PERSEUS which establishes a session with the Snake implant on a particular computer and issues commands that instruct the implant to disable itself, effectively overwriting its own components, without affecting the infected host or its legitimate applications. Having obtained authorization from a Federal court, the FBI commenced Operation MEDUSA, which dismantled the Snake network on infected systems within the US.

The US agencies involved - the FBI, the NSA, US Cyber Command's Cyber National Mission Force and the Cybersecurity & Infrastructure Agency - have collaborated with the UK's National Cyber Security Centre, Canada's Centre for Cyber Security abd Communications Security Establishment, the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre, and those agencies will presumably take appropriate actions in their own jurisdictions. In addition, the FBI and US State Department are also providing information to local authorities in other countries where Snake-infected computers have been located.

The agencies have also issued a 48-page joint cybersecurity advisory, which makes fascinating reading, as you might expect, with a full analysis of Snake's communication and application layers, as well as the implant operation. Of course, the advisory also contains suggestions for detection, mitigation and prevention, including a plugin for the Volatility memory analysis framework which will scan all processes, looking for the Snake user mode component having been injected into a process.

Marzulli, John, Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by Russia's Federal Security Service, press release, 9 May 2023. Available online at https://www.justice.gov/usao-edny/pr/justice-department-announces-court-authorized-disruption-snake-malware-network.

NSA Media Relations, U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide, press release, 9 May 2023. Available online at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3389044/us-agencies-and-allies-partner-to-identify-russian-snake-malware-infrastructure/.

Cybersecurity & Infrastructure Security Agency, Hunting Russian Intelligence “Snake” Malware, cybersecurity advisory AA23-129A, 9 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a.

Uncredited, UK and allies expose Snake malware threat from Russian cyber actors, news release, 9 May 2023. Available online at https://www.ncsc.gov.uk/news/uk-and-allies-expose-snake-malware-threat-from-russian-cyber-actors.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: