Resources | Picus Security

CISA Alert AA23-129A: Operation MEDUSA - Dismantling of Snake Implant

Written by Huseyin Can YUCEEL | May 10, 2023 12:49:01 PM

On May 9th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Snake malware developed and used by the Russian Federal Security Agency (FSB) [1]. CISA considers the Snake implant as the most sophisticated cyber espionage tool in FSB's arsenal. The FBI dismantled the global peer-to-peer network of Snake-infected computers with Operation MEDUSA in coordination with multiple cybersecurity agencies.

In this blog, we explained Snake malware, its developer Turla group, and Operation MEDUSA in detail.

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

What is Snake Malware?

Snake malware is a cyber espionage malware designed and used by Center 16 of the Russian Federal Security Service (FSB), also known as the threat group Turla. The development of the implant began in Late 2003 under the name Uroburos. Even after public disclosures, the malware kept under development and received countless upgrades. Over the 20 years of its use, Snake malware also influenced other malware families such as Krypton, Penquin, Carbon (aka Cobra), and Chinch (aka ComRAT).

Turla infected organizations in more than 50 countries worldwide with the Snake implant. The target organizations are chosen strategically to collect sensitive information. Adversaries are known to target NATO countries to eavesdrop on diplomatic communications. Industries victimized by Snake include governments, financial services, manufacturing, communications, media organizations, research facilities, and other critical infrastructure sectors.

As a state-sponsored threat group, Turla applied professional software engineering practices in the development of Snake malware. The design of the implant facilitates software development, debugging, and the use of multiple different components, which allows attackers to adapt to the infected environment. Additionally, Snake malware uses custom network communication protocols that blend effectively with legitimate traffic without impacting the malware's capabilities. These protocols also provide redundancy to adversaries if any protocol is compromised. Snake implant is written entirely in C and capable of running on different operating systems such as Windows, Linux, and macOS.

Adversaries often deploy Snake to external-facing network nodes in the victims' environment to establish a persistent connection. However, Snake is not the only tool in their arsenal. FSB operators often employ keyloggers and network discovery tools for lateral movement attacks in the compromised network.

Operation Medusa: Dismantling the Snake Infrastructure

For nearly 20 years, Turla used Snake malware for cyber espionage against various countries, especially NATO members. Adversaries created a covert peer-to-peer (P2P) network of Snake-infected computers to exfiltrate sensitive documents from their victims. This P2P network allows Turla to disguise their operation as legitimate traffic and circumvent simple IP address or domain blocking.

On May 9th, 2023, The Justice Department of the US announced that they disabled the Snake infrastructure through Operation MEDUSA in coordination with multiple security agencies worldwide [2]. The FBI developed a tool named PERSEUS to establish connections with Snake-infected computers and issue commands to Snake implant to disable itself without harming the legitimate operations of victims.

The detailed cybersecurity advisory released by CISA and co-authors provides detailed information about the tools and techniques used by FSB operators. Although the FBI dismantled Snake infrastructure, organizations are advised to review the advisory and mitigate the security gaps that led to the infection of Snake malware in the first place.

How Picus Helps Simulate Snake Malware Attacks?

We also strongly suggest simulating Snake malware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as HAFNIUM, OilRig, Lazarus, and Sandworm, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Snake malware and Turla APT group

Threat ID

Threat Name

Attack Module

82801

Turla Threat Group Campaign 2022 Endpoint

Endpoint

94902

Turla Threat Group Campaign Malware Download Threat

Network Infiltration

62855

Turla Threat Group Campaign Malware Email Threat

Email Infiltration (Phishing)

59328

Turla Threat Group Campaign Malware Downloader Download Threat

Network Infiltration

72617

Turla Threat Group Campaign Malware Downloader Email Threat

Email Infiltration (Phishing)

References

[1] "Hunting Russian Intelligence 'Snake' Malware," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a.

[2] "Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia's Federal Security Service," May 09, 2023. [Online]. Available: https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled.