Global Courant 2023-05-11 13:32:00
Russian President Vladimir Putin – Sputnik/Alexei Danichev/Pool via REUTERS
“A real war is being waged against our Motherland!” Vladimir Putin boomed at crowds on Red Square in Moscow this week. But even as his armored cars and military trucks rolled over the cobblestones in the annual Victory Day Parade, Western cyber experts presented the Russian leader with a gift to remember.
The Snake network of malicious software (malware) used by the Russian spy agency FSB, wtaken offline by the spy alliance Five Eyes of the West on Tuesday in a multinational flight codenamed Operation Medusa.
Their removal has disabled a vital Kremlin tool for interfering in Western elections, disrupting businesses and gathering intelligence on Moscow’s enemies – ending a two-decade-long cyber-espionage campaign that indiscriminately targeted both businesses and western governments.
Paul Chichester, the director of operations of the National Cyber Security Center, describes Snake as “a highly sophisticated espionage tool used by Russian cyber actors. countless companies.
A spokesperson for Canada’s Communications Security Establishment says: “This collective effort to counter Snake and Snake-related tools has been going on for nearly 20 years as the threat actor has tweaked and modified their malware to keep it viable after repeated public exposures. disclosures and restrictive measures.”
In a groundbreaking collaboration between the West’s five leading cyber powers – Australia, Britain, Canada, New Zealand and the US – the networks of computers used to monitor Snake’s central piece of malware were kicked off the internet, leaving Russian Agents Basically Blind.
Vladimir Putin railed against the West during his Victory Day speech this week – Sputnik/Dmitry Astakhov/Pool via REUTERS
In public documents, Western intelligence agencies describe Snake as being deployed in a treacherous and long-running campaign against the interests of global democracy.
The FSB used it to steal sensitive diplomatic documents from a NATO country, while also targeting financial services, critical manufacturers and media organizations across the free world. The personal computer of an unnamed journalist at an American media company was also infected.
Story continues
John Hultquist, head of Google-owned Mandiant Intelligence Analysis, adds that at one point the FSB used Snake to eavesdrop on an Iranian hacking campaign, quietly helping itself steal information from a Western organization even then the Iranians congratulated themselves on carrying out an intelligence coup.
Experts agree that Snake is one of the most insidious tools of its kind. Hultquist describes the cyber campaign as “one we’ve known the longest” and as “probably one of the slickest and hardest to follow”.
“They’ve been targeting the UK for a long time,” says Hultquist.
“In my experience, they’ve had a lot of surgeries there. But, you know, there are operations now in Ukraine, there are operations all over Europe.”
“There really is no better time to dazzle their intelligence collectors than when they need it most,” he continued, referring to Russia’s defense against Ukraine’s long-awaited military counter-offensive.
Soviet Tank E-34 – M24/Moscow News Agency via AP
Snake’s direct origins date back to 2003, when FSB computer experts began developing a piece of custom malware codenamed Ouroboros by their western counterparts.
That system was finally deployed against the West in 2008, when a curious American soldier in the Middle East picked up a USB stick containing malicious software and inserted it into a computer.
The resulting cascade of virus infections took the US military 14 months to completely eradicate from its networks, with desperate commanders even resorting to a blanket ban on USB sticks.
Created and maintained by a Russian unit also known as Center 16 or Unit 71330, the malware was so powerful that even FSB personnel at their base in Ryazan, 130 miles southeast of Moscow, struggled to use it properly.
“Our investigation has turned up examples of FSB operators … who appeared to be unfamiliar with Snake’s more advanced capabilities,” FBI prosecutors told US federal courts.
But even as the Russians struggled with Snake, American spies monitored activity in the Center 16 buildings from which the spy tool was deployed and learned its weaknesses.
The culmination of Operation Medusa was an FBI technique to “overwrite vital components of the Snake malware without affecting legitimate applications or files” on infected machines, erasing the Russian program from each computer in one fell swoop.
Chester Wisniewski, chief technical officer for applied research at the cybersecurity firm Sophos, says it took Russians “years and years to develop Snake” and that its loss will hit Putin’s spies hard.
‘Only weeks of breathing space’
GCHQ – CREDIT: Barry Batchelor/PA
The story of the system’s collapse sheds new light on the shadowy battle taking place online between rival governments.
FBI intelligence agents developed a way to secretly monitor how Snake was able to infect target computers and quietly ping his Russian operators to tell them that a newly compromised computer was available for their use.
Using this technique, the FBI mapped not only Snake’s victims, but also the all-important command and control network that gave the software its venom.
Professor Alan Woodward, a cybersecurity expert from the University of Surrey, says Snake’s technical characteristics made it extremely difficult for the West to detect its vulnerabilities. Still, the Russians made crucial mistakes that helped cyber experts cut off the snake’s heads.
Woodward explains that Snake uses a common piece of software called OpenSSL to encrypt web traffic, making it difficult for prying eyes to decrypt. However, due to a user error, the spies of the West were able to break this protection.
“Someone misused this feature and set (encryption) keys that weren’t strong enough to withstand known attacks,” he says.
“It allowed law enforcement to see exactly how it worked and (identify) the ultimate recipients of the stolen data.
“They left some clues for researchers, such as keywords and job titles… It’s easy to do if you’re in a hurry, but it’s not a fundamental mistake by Snake.”
However, despite all the West’s congratulations on this week’s removal, experts all agree that the removal is a temporary setback, not a permanent victory.
Don Smith, of cybersecurity firm Secureworks, estimates Snake could be back online within weeks. Wisniewski from Sophos and Hultquist from Mandiant both take months at most.
They all compare the operation of the malware to cybercrime networks of the sort that track their respective companies – and all expect the FSB to resurrect the decapitated Snake soon.
“This was a win for the cat,” says Wisniewski, “but the mice are crafty — and they breed quickly.”
