Turla’s Snake May be Down, But its Legacy Lives On
The Department of Justice’s recent revelation that it dismantled the Turla cybercriminal network was met with surprise—not that the authorities had taken it down and neutralized the Snake malware, but that Snake was still in use in the first place.
“I’m surprised that the FSB was still using Snake until the takedown. The Snake backdoor is an old framework that was developed in 2003 and was linked to the FSB multiple times by many security vendors,” said Frank van Oeveren, manager of threat intelligence and security research at Fox-IT, part of the NCC Group. “Normally, you would expect the nation-state actors would burn the framework and start developing something new.”
But van Oeveren noted that Snake, initially developed by the FSB as Uroburos, is both “sophisticated and well put together,” and that demonstrates that its creators spent a lot of time and money developing the framework.
“Taking down a large network run by a state-level security agency is, no doubt, a major undertaking,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “But even with that, it’s still surprising that the Snake malware was able to operate for as long as it did.”
The Snake implant, though, “is considered the most sophisticated cyberespionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets,” CISA said in a cybersecurity advisory. The Snake infrastructure has been observed in more than 50 countries in North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia.
“To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide,” the agency explained. “Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.”
Snake operators, though, have encountered some issues. For instance, “the name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment, even after public disclosures, instead of abandoning it,” the advisory said. “The name appears throughout early versions of the code, and the FSB developers also left other unique strings, including “Ur0bUr()sGoTyOu#”, which have publicly come back to haunt them.”
The Snake backdoor’s sophistication may have been prohibitive, as well. “Our investigations have identified examples of FSB operators using Snake to its full potential, as well as FSB operators who appeared to be unfamiliar with Snake’s more advanced capabilities,” CISA said. “These observations serve to illustrate the difficulty in using such an advanced toolset across the various geographically dispersed teams comprising” the FSB Center-16 unit, where Snake operations were also launched.
Operators, too, have made some mistakes that authorities were able to exploit to thwart Snake. “Although the Snake implant as a whole is a highly sophisticated espionage tool, it does not escape human error,” CISA said.
“A tool like Snake requires more familiarity and expertise to use correctly, and in several instances, Snake operators neglected to use it as designed,” according to the advisory. “Various mistakes in its development and operation provided us with a foothold into the inner workings of Snake and were key factors in the development of capabilities that have allowed for tracking Snake and the manipulation of its data.”
Indeed, the FSB used the OpenSSL library to handle its Diffie-Hellman key exchange, creating a Diffie-Hellman key-set during the key exchange that is too short to be secure. “The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems. Also, in some instances of what appeared to be rushed deployments of Snake, the operators neglected to strip the Snake binary,” the CISA advisory noted. “This led to the discovery of numerous function names, cleartext strings, and developer comments.”
The biggest takeaway that Parkin sees is that “these things take time.”
The Turla group “operated for almost 20 years before being taken down, which is a long, long time for a known threat to be active even when it’s operated by a state security agency,” said Parkin. “A related lesson is that an organization may be facing attack from a state or state-sponsored threat who may have considerably more resources than a common criminal and deeper motivations than simply criminal activity.”
A lesson learned from the disruption of the Snake malware network: “It only takes one unpatched system or one untrained user to click a phishing link to compromise an entire organization,” said James Lively, endpoint security research specialist at Tanium. “‘Low hanging fruit’ or taking the route with the least amount of resistance is often the first avenue that an attacker looks for. A prime example of this is an old unpatched system that is public-facing to the internet but has been forgotten about by the organization.”
Lively suggested a number of steps organizations can take to guard against malware like Snake, “including ensuring that the organization has an accurate inventory of assets, systems are patched and updated, phishing campaigns and training are undertaken and strong access controls are implemented.”
And law enforcement can improve international cooperation to “tackle cybercrime by encouraging information sharing and signing agreements and NDAs and performing joint investigations,” said Lively.
“The biggest cybersecurity threat facing organizations today is an insider threat. There’s little an organization can do to prevent a disgruntled employee or someone with elevated access causing catastrophic damage,” he explained. “To combat this threat, organizations should look to limit access to resources and assign the minimum amount of permissions to users that they require to perform their duties.”
For now, Turla may be shut down, but van Oeveren warned not to consider the operation dead or underestimate its creators. “Turla will most likely continue with a different framework, but it’s always a surprise what the group will do,” he said.
“Over the years, the Russian Intelligence Service has created multiple backdoors in different programming languages, which shows their willpower to develop new tools for their operations,” he said, noting that a similar toolkit would likely be developed in a different language. “Don’t underestimate the group using the Snake backdoor—as we’ve seen before, it’s persistent and usually goes undetected for many years prior to being discovered on a target network.”
Image Source: Snake coppertist-wu-ujL84Q8KXSc-unsplash
