US disrupts Russia-linked Snake implant’s network

The US government announced to have disrupted the peer-to-peer (P2P) network of computers compromised by the Snake malware.

The Snake implant is one of the most sophisticated implants used by Russia-linked threat actors for cyberespionage purposes. The malware has been designed and used by Center 16 of Russia’s Federal Security Service (FSB) in cyber espionage operations on sensitive targets. The FSB created a covert peer-to-peer (P2P) network of machines worldwide that were infected with the Snake malware.

The P2P network is used to operational traffic to and from Snake implants on the FSB’s ultimate targets. The malware uses custom communications protocols designed to avoid detection.

The development of the Snake malware, aka Uroburos, started in late 2003 and was completed in early 2004. The threat is continuously upgraded and the authors re-designed it after the public disclosures.

The US experts identified Snake infrastructure in over 50 countries worldwide, including the United States and Russia. The U.S. agencies monitored FSB officers assigned to Turla that used the Snake malware as part of their daily activity from a known FSB facility in Ryazan, Russia.

The Department of Justice (DoJ) announced the court-authorized disruption of the network used by the malware.

“The Justice Department today announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”, that the U.S. Government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB).” reads the press release published by DoJ. “For nearly 20 years, this unit, referred to in court documents as “Turla,” has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation.”

US authorities code-named the operation as “Operation MEDUSA”, and the FBI developed a tool named PERSEUS to disable Turla’s Snake malware on compromised computers. PERSEUS issues commands that cause the Snake malware to overwrite its own core components

“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Attorney General Merrick B. Garland. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”

The US Cybersecurity and Infrastructure Security Agency (CISA) published an Alert (AA23-129A), titled “Hunting Russian Intelligence “Snake” Malware,” which contains technical details on the Snake implant.

According to the technical advisory, human errors allowed US authorities to track the P2P network composed of infected systems and interfere with its operation.

“Various mistakes in its development and operation provided us with a foothold into the inner workings of Snake and were key factors in the development of capabilities that have allowed for tracking Snake and the manipulation of its data.” reads the advisory. “The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key-set created by Snake during the key exchange is too short to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems. Also, in some instances of what appeared to be rushed deployments of Snake, the operators neglected to strip the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments as seen in the following figure.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)