Russia's Powerful "Snake" Cyberespionage Malware Gets Destroyed by US

Russia’s Powerful “Snake” Cyberespionage Malware Gets Destroyed by US

On Tuesday, the US government declared that it had stopped what it called the most sophisticated cyberespionage malware being used by a division of the Russian FSB security service to collect data from significant targets. Nearly 20 years old, the malware known as Snake has been connected to several additional tools and operations related to the Russian government, including Turla, Uroboros, Venomous Bear, and Waterbug.

According to the US authorities, threat actors have employed it to steal private information from hundreds of devices located in at least 50 different countries. The governments of NATO member nations, journalists, and scientific institutions are among the victims. As of now, a section of FSB Center 16 has been formally connected to the malware.

“The U.S. government has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia,” said the US Justice Department.

On Tuesday, the Department of Justice reported that a peer-to-peer (P2P) network of computers infected by the Snake malware was destroyed due to a court-authorized operation code-named Medusa. Numerous P2P systems were used as relay nodes, which were set up to send and receive operational communication disguised to and from instances of the Snake malware installed on target computers.

The FBI created a program called Perseus that sent orders to the Snake virus to overwrite some of its own vital parts, rendering it useless. Authorities cautioned victims to perform their research to identify any other tools that would allow hackers to regain access to their computers. A detailed technical advisory including information on how to recognize and thwart assaults employing the Snake malware, including a current variation, has been released by the US Cybersecurity and Infrastructure Security Agency (CISA) and several other organizations, including Five Eyes allies. Due to flaws made during the construction and functioning of the malware, it was easy for investigators to monitor Snake and change its data.

According to the advisory, the FSB handled its Diffie-Hellman key exchange using the OpenSSL package. Unfortunately, snake generated a Diffie-Hellman key set that is too brief to be secure during the key exchange. The FSB only gave the function DH_generate_parameters a prime length of 128 bits, which is insufficient for asymmetric key systems. Additionally, in certain instances of what seemed to be hurried Snake deployments, the operators forgot to extract the Snake binary; it was appended. As a result, many function names, cleartext strings, and developer comments were found.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.