The U.S. Department of Justice has another feather in its cyberwarfare cap after taking down the cybercrime network of Turla, a criminal gang linked to Russia called one of the world’s most sophisticated cyber-espionage groups.
Federal officials on Tuesday announced that cybersecurity and intelligence agencies from all Five Eyes member nations have taken down the infrastructure used by the Snake cyber-espionage malware operated by Russia’s Federal Security Service (FSB).
The Five Eyes Intelligence Oversight and Review Council (FIORC) is composed of non-political intelligence oversight, review, and security entities of Australia, Canada, New Zealand, the United Kingdom, and the United States.
The DOJ also reported neutralizing the Snake malware the group used. Reports claim it was found on computers in 50 countries and previously labeled by U.S. intelligence as “one of the most sophisticated malware sets used by the Russian intelligence services.”
Malicious cyber actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications through a victim in a NATO country. In the U.S., the FSB has victimized industries, including educational institutions, small businesses, and media organizations.
Critical Infrastructure Hit by Aging Snake Malware
Critical infrastructure sectors, such as local government, finance, manufacturing, and telecommunications, have also been impacted, according to Cybersecurity & Infrastructure Security Agency (CISA) reports. CISA is the lead agency responsible for protecting the nation’s critical infrastructure from physical and cyber threats.
The takedown announcement surprised some cybersecurity experts due to its aging nature. The FSB was still using Snake until the takedown. The Snake backdoor is an old framework that was developed in 2003 and multiple times linked to the FSB by many security vendors, according to Frank van Oeveren, manager, Threat Intelligence & Security Research at Fox-IT, part of NCC Group.
“Normally, you would expect the nation-state actors would burn the framework and start developing something new. But Snake itself is sophisticated and well put together, which shows how much time and money was spent in developing the framework,” he told TechNewsWorld.
High Profile Win
“For 20 years, the FSB has relied on the Snake malware to conduct cyber espionage against the United States and our allies — that ends today,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
Clearly, the operators of the Snake backdoor made some mistakes. That is often how cyber sleuths succeed in takedowns, noted van Oeveren.
“Over the years, multiple takedowns were performed on Russian Intelligence Service’s backdoors/botnets, which shows a certain degree of amateurism. But Turla has shown their skills and creativity [throughout] , and this should not be underestimated,” he said.
According to NCC Group’s Fox-IT team, the Snake backdoor is only used for high-profile targets, such as governments, the public sector, or organizations working closely with these two.
“This backdoor is purely used for espionage and staying under the radar as long as possible,” he said.
Hiding in Plain Sight
A few years back, van Oeveren’s security team worked on an incident response case where the Snake malware was observed. During this case, Turla stayed undetected for a few years and was only found by pure luck, explained van Oeveren. The backdoor was used to exfiltrate sensitive documents related to the victim’s organization.
“Turla will most likely continue with a different framework, but it is always a surprise what the group will do,” he offered.
In recent times, the Russian Intelligence Service has created multiple backdoors in different programming languages, van Oeveren noted. This shows the willpower to develop new tools for their operations, and he expects they will now develop a similar toolkit in a different programming language.
“Don’t underestimate the group using the Snake backdoor. As we have seen before, it is persistent and usually goes undetected for many years prior to being discovered on a target network,” he warned.
Snake victims should always tackle Snake/Turla compromises with renowned incident response firms. He warned that these attacks and the backdoor usage are too sophisticated to handle on your own.
Organizations can take several steps to protect themselves from malware attacks like the Snake Malware, advised James Lively, endpoint security research specialist at Tanium. These efforts include ensuring that the organization has an accurate inventory of assets, that systems are patched and updated, phishing campaigns and training are undertaken, and that strong access controls are implemented.
“International cooperation can also be improved to tackle cybercrime by encouraging information sharing and signing agreements and NDAs and performing joint investigations,” he told TechNewsWorld.
The biggest cybersecurity threat facing organizations today is insider threat. Organizations can do little to prevent a disgruntled employee or someone with elevated access from causing catastrophic damage.
“To combat this threat, organizations should look to limit access to resources and assign the minimum number of permissions to users that they require to perform their duties,” Lively suggested.
The major lesson to be learned from the disruption of the Snake malware network is that it only takes one unpatched system or one untrained user to click a phishing link to compromise an entire organization, he explained. Low-hanging fruit or taking the route with the least resistance is often the first avenue an attacker targets.
“A prime example of this is an old unpatched system that is public facing to the internet and has been forgotten about by the organization,” he offered as an example.
International Cooperation Essential
Taking down an extensive network run by a state-level security agency is, no doubt, a major undertaking. But even with that, it is still surprising that the Snake malware was able to operate for as long as it did, observed Mike Parkin, senior technical engineer at enterprise cyber risk remediation firm Vulcan Cyber.
Threat actors can use many different attack vectors to land their malware payloads, so there is never just one thing. That said, user education is vital as an organization’s users are its broadest and most complex threat surface.
Organizations also need to ensure their operating systems and applications are kept up to date with a consistent and effective patch program — and being sure that applications are deployed to industry best practices with secure configurations is a necessity, too, according to Parkin.
“Dealing with international politics and geopolitical issues, it can be a real challenge to cooperate across borders effectively. Most Western countries can work together, though jurisdictional challenges often get in the way. And getting cooperation from nations that can be uncooperative at best and actively hostile at worst can make it impossible to deal with some threat actors,” he told TechNewsWorld.