How has Snake Malware of FSB been detected and revealed?
Posted on February 24, 2024 • 5 minutes • 897 words
Table of contents
Disclaimer: This text does not reflect any personal political opinion regarding the countries’ foreign affairs.
A joint statement by the US, the UK, Canada, New Zealand and Australian state Institutions was published on May 9, 2023, about detecting a cyber espionage tool of the Russian Federation’s internal counterintelligence agency Federal Security Service (FSB), successor to the Soviet KGB.
That text is based on that document to understand the reflection of inter-state relations in cyberspace. It aims to give an opinion about how countries invest in cyber tools and use them for political purposes in the 21st Century.
Introduction
The publishers consider the Snake Malware or implant the most sophisticated cyber espionage tool. It creates a peer-to-peer snake-infected network. Any communication is relayed through that network. It has a mechanism to decrease the risk of detection and is designed to use fragmentation and encryption.
The potential targets of the Snake Malware were high-priority targets by its nature. The whole infected network infrastructure consists of devices from more than 50 countries. A high-priority target from a NATO member country has been targeted to access diplomatic communications or other sensitive international relations documents.
The Cybersecurity Advisory (CSA) document gives technical details about the attribution to the FSB.
The Snake Malware
It is observed in Windows, MacOS, and Linux operating systems. It has an internal design to implement new components quickly and has few bugs that surprise the publishers. That tool was designed and developed starting from the end of 2003. Throughout its lifetime, the discovery of tactics, techniques and procedures (TTP) of the first versions caused the developers to fine-tune to prevent detection because that kind of tool should stay in the targets for a long time without detection.
Attribution to the FSB
The publishers say Snake operations are conducted by a known unit within Center 1 of the FSB. The unit has operated many elements of the Turla toolset. The daily operating hours of the Snake are done from an FSB facility in Ryazan, Russia, mainly between 7.00 am and 8.00 pm (Moscow Time). Some points show that some operators of the Snake had more expertise about its full potential than others. It has been used and developed even after some public disclosures.
Infecting the Targets
If an infected system doesn’t respond to the Snake communications, FSB retargets to infect it again for tactical purposes.
The FSB generally target external-facing network devices first and then uses different tools to discover and infiltrate other devices within the network. It focuses on obtaining administrator credentials and access to domain controllers. Many tools, like keyloggers or sniffers, have been used to continue infections within the targeted network.
After getting a network map, they start the operation. Some tools are only deployed first after having administrator credentials. FSB operators use a remote reverse shell during infection as a backup access vector or keep a low profile within the network to prevent detection while operating.
Its Architecture
The Snake Malware is written in C language. It shows professional software engineering practices. It has different components for some purpose, like accessing the administrator’s password hash. It also has custom network communication protocols, like custom HTTP or raw TCP socket protocol. All of its versions use encryption and transportation layers. Every layer has two different communication interfaces and operates independently. Those two distinct communication ways allow operators to change another if they believe the current one is compromised.
Even though the developers followed good software development practices, there were human errors. It uses the OpenSSL library to handle its key exchange, but it is too short to secure. Also, the fast development of it left some cleartext strings, comments and function names within the binary.
Technical Details
The FSB developed new variants of Snake after its public disclosures. Therefore, there are more variants for 20 years. While it may implement different initialization vectors, it has a high level of obfuscation in operating systems using kernel modules. It also uses kernel modules to hide its components from the operating system. While interacting with the host, it uses an encrypted kernel module with a unique key, making it difficult for signature-based scans to detect it. That same tactic is used for every distinct component of the Snake malware to prevent signature-based detections by security products.
To stay on the host, it creates a service and starts on boot to decrypt Snake’s components and load them into the memory. Some other files are stored on the host and used by the malware to operate.
It creates a peer-to-peer network to facilitate stealthy communications. If an infected device is not the target, it acts as a server and ‘greatly complicates detection efforts.’ It also uses custom network communication protocols to blend with the infected device’s regular traffic. That makes blocking IP addresses and domains ineffective. The Snake also checks any TCP incoming packet to determine if it is a command to operate for itself.
Conslusion
Lastly, that revolution is one of the most exciting results of the clash of states in cyberspace. The countries see the cyber domain as complementary to the other four: Land, Air, Space, and Marine. Richard A. Clarke, who served in the US Institutions, published “The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats” 2019 with Robert K. Knake. That book also defines the cyber as the fifth domain.
