U.S. discloses how FSB used snake to steal data

The U.S. government has given cybersecurity professionals a rare glimpse into how malware created by a foreign spy agency works. The U.S. Department of Justice announced that a network of machines that had been compromised by the Federal Security Service (FSB) has been taken down after being in operation for more than 20 years.

As part of that announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed how the FSB created a peer-to-peer network, dubbed Snake, that it has been employing to steal information from businesses, media organizations, educational institutions, government agencies, and financial service providers around the world.

According to CISA, Snake is based on a modular architecture that enabled the FSB to over the years add new capabilities to what the agency describes as one of the most sophisticated cyberespionage tools ever created.

How Snake works

Snake employs multiple components for the same purpose in a way that enables it to adapt to different environments, including Windows, MacOS, and Linux systems. The custom network communications protocols created essentially function as a stack, with all implementations using an encryption layer and a transport layer. Each of those layers implements a specified interface for operability with the two adjacent layers. The encryption layer and underlying transport layer thus function independently, so the Snake network protocol can employ an encryption overlay without needing to change the encryption layer code.

That approach ensures that all traffic to a compromised machine follows the implementation of a custom HTTP protocol or a raw TCP socket in a way that establishes secure shell (SSH) connections. Written in C, CISA noted that the developers of Snake demonstrate an understanding of computer science principles, including selecting and correctly coding asymptotically optimal algorithms, using efficient custom encoding methodologies that closely resemble common encoding schemes, and handling the numerous possible errors associated with systems-level programming in a secure manner.

Snake is almost impossible to detect because of how its kernel module is constructed. All the known Windows versions of Snake, for example, have used a concealed storage mechanism to hide host componentry. In addition to using the kernel module to remove the relevant components from any listing returned by the operating system, Snake uses the kernel module to mediate any requests between Snake’s user mode components and the concealed storage mechanism, which itself is encrypted with a unique per-implant key. There is, as a result, no signature for antimalware software to detect.

Snake maintains persistence on a Windows system by creating a “WerFaultSvc.”  On boot, this service will execute Snake’s WerFault.exe, which Snake developers chose to hide among the numerous valid Windows “WerFault.exe” files in the %windows%\WinSxS\ directory. Executing WerFault.exe starts the process of decrypting Snake’s components and loading them into memory.

Turning Snake against itself

The one thing the developers of Snake did not take into account is that the network they created has some unique identifiers. The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key-set created by Snake during the key exchange is too short to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems. In addition, in some instances, Snake appears to have been rushed.  This led to the discovery of numerous function names, cleartext strings, and developer comments when FSB operatives neglected to strip the Snake binary.

Investigators eventually discovered that the customized HTTP used by Snake to implement session maintenance permitted the malware to treat multiple HTTP packets as part of a single session encrypted with the weak key. The discovery allowed investigators to fingerprint data sent from one Snake-infected machine to another. A PERSEUS tool was then created as part of Operation MEDUSA to issue commands to Snake malware that will permanently disable it.

As innovative as that might be, however, the FSB frequently deploys a “keylogger” with Snake that can use to steal account authentication credentials, such as usernames and passwords. Organizations that have been compromised by Snake need to be aware that stolen credentials can be used to re-access compromised systems and online accounts.

It may be a little disheartening to realize just how sophisticated the attacks being launched by cyberespionage organizations really are and cybersecurity professionals should assume there is more of these types of attacks being made than anyone realizes. On the plus side, however, the government agencies working to stop these attacks are clearly getting a lot smarter so at the very least there’s hope that more of these attacks will be thwarted in the months and years ahead.

This Joint Cybersecurity Advisory has the details of Snake and the takedown operation.