On Tuesday, the US government declared that it had stopped what it called the most sophisticated cyberespionage malware being used by a division of the Russian FSB security service to collect data from significant targets. Nearly 20 years old, the malware known as Snake has been connected to several additional tools and operations related to the Russian government, including Turla, Uroboros, Venomous Bear, and Waterbug.
According to the US authorities, threat actors have employed it to steal private information from hundreds of devices located in at least 50 different countries. The governments of NATO member nations, journalists, and scientific institutions are among the victims. As of now, a section of FSB Center 16 has been formally connected to the malware.
“The U.S. government has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia,” said the US Justice Department.
On Tuesday, the Department of Justice reported that a peer-to-peer (P2P) network of computers infected by the Snake malware was destroyed due to a court-authorized operation code-named Medusa. Numerous P2P systems were used as relay nodes, which were set up to send and receive operational communication disguised to and from instances of the Snake malware installed on target computers.
The FBI created a program called Perseus that sent orders to the Snake virus to overwrite some of its own vital parts, rendering it useless. Authorities cautioned victims to perform their research to identify any other tools that would allow hackers to regain access to their computers. A detailed technical advisory including information on how to recognize and thwart assaults employing the Snake malware, including a current variation, has been released by the US Cybersecurity and Infrastructure Security Agency (CISA) and several other organizations, including Five Eyes allies. Due to flaws made during the construction and functioning of the malware, it was easy for investigators to monitor Snake and change its data.
According to the advisory, the FSB handled its Diffie-Hellman key exchange using the OpenSSL package. Unfortunately, snake generated a Diffie-Hellman key set that is too brief to be secure during the key exchange. The FSB only gave the function DH_generate_parameters a prime length of 128 bits, which is insufficient for asymmetric key systems. Additionally, in certain instances of what seemed to be hurried Snake deployments, the operators forgot to extract the Snake binary; it was appended. As a result, many function names, cleartext strings, and developer comments were found.