The US Justice Department has achieved another feat in cyber warfare after dismantling the cybercrime network of Turla, a criminal gang linked to Russia, said to be one of the world’s most sophisticated cyber-espionage groups.
Federal authorities announced on Tuesday that the cybersecurity and intelligence agencies of all Five Eyes member countries have removed infrastructure used by the Snake cyber-espionage malware operated by Russia’s Federal Security Service (FSB).
The DOJ also reported neutralizing the Snake malware used by the group. Reports claim it was found on computers in 50 countries and was previously labeled by US intelligence as “one of the most sophisticated malware sets used by Russian intelligence services”.
Malicious cyber actors used Viper to access and infiltrate sensitive international relations documents and other diplomatic communications through a victim in a NATO country. In the US, the FSB has targeted industries including educational institutions, small businesses, and media organizations.
Critical Infrastructure Hit by Aging Snake Malware
According to the Cyber Security and Infrastructure Security Agency (CISA) report, critical infrastructure sectors such as local government, finance, manufacturing and telecommunications have also been affected. CISA is the lead agency responsible for protecting the country’s critical infrastructure from physical and cyber threats.
Takedown’s announcement took some cybersecurity experts by surprise due to its aging nature. Until the takedown the FSB was still using Snake. The Snake backdoor is an older framework that was developed in 2003 and linked to the FSB several times by several security vendors, according to Frank van Overen, manager of Threat Intelligence and Security Research at Fox-IT, part of the NCC Group.
“Normally, you would expect nation-state actors to burn down the framework and start developing something new. But Snake itself is sophisticated and well put together, which shows that the framework is being developed.” how much time and money was spent in it,” he told TechNewsWorld.
high profile victory
Assistant Attorney General of the Justice Department’s National Security Division, Matthew G. “For 20 years, the FSB has relied on the Snake malware to conduct cyber espionage against the United States and our allies – that ends today,” Olsen said.
Obviously, the operators of the snake backdoor made some mistakes. Van Overen explained that cyber sleuths often manage to pull off takedowns this way.
“Over the past few years, several takedowns were carried out on backdoors/botnets of the Russian intelligence service, which shows some degree of amateurishness. But Turla has shown his skill and creativity [throughout]And it should not be underestimated,” he said.
According to NCC Group’s Fox-IT team, the Snake backdoor is only used for high-profile targets, such as governments, the public sector, or organizations working together with the two.
“This backdoor is used solely for espionage and to stay under the radar for as long as possible,” he said.
hiding in plain sight
A few years ago, Van Overen’s security team worked on an incident response case where Snake malware was observed. During this case, Turla went undetected for some years and was only found by pure luck, van Ooveren explained. The backdoor was used to falsify sensitive documents belonging to the victim organization.
“Turla will most likely continue with a different structure, but it’s always a wonder what the group will do,” he offered.
In recent days, the Russian intelligence service has created a number of backdoors in various programming languages, Van Overen said. This shows their willingness to develop new tools for their operations, and they hope that they will now develop a similar toolkit in a different programming language.
“Don’t underestimate groups using the snake backdoor. As we’ve seen before, it’s persistent and usually goes undetected for years before it’s discovered on the target network,” he warned. Gave.
Snake victims should always deal with well known incident response firms. He warned that these attacks and backdoor access are too sophisticated to handle on our own.
James Lively, endpoint security research specialist at Tanium, advised that organizations can take several steps to protect themselves from malware attacks such as Snake malware. These efforts include ensuring that the organization has an accurate inventory of assets, that systems are patched and updated, phishing campaigns and training are conducted, and that strong access controls are implemented.
“International cooperation to combat cybercrime can also be improved by encouraging information sharing and signing agreements and NDAs and conducting joint investigations,” he told TechNewsWorld.
The biggest cyber security threat facing organizations today is the insider threat. Organizations can do little to prevent a disgruntled employee or someone with high access from causing catastrophic damage.
“To combat this threat, organizations should limit access to resources and give users the minimum permissions they need to perform their duties,” Lively suggested.
The key lesson to be learned from the Snake malware network disruption is that it only takes one unpatched system or one untrained user to click on a phishing link to compromise an entire organization, he explained. Taking the low-hanging fruit or the route of least resistance is often the attacker’s first goal.
“A prime example of this is an old unpublished system that is publicly facing the Internet and has been forgotten by the organization,” he offered as an example.
international cooperation required
Taking down an extensive network run by a state-level security agency is undoubtedly a major undertaking. But even with that, it’s still surprising that the Snake malware was able to operate for as long as it did, observed Mike Parkin, senior technical engineer at enterprise cyber risk remediation firm Vulkan Cyber.
Threat actors can use a number of different attack vectors to land their malware payloads, so there’s never just one thing. That said, user education is important because an organization’s users are its widest and most complex threat surface.
According to Parkin, organizations also need to ensure that their operating systems and applications are kept up to date with a consistent and effective patch program – and ensure that applications are deployed to industry best practices with secure configurations. went.
“Dealing with international politics and geopolitical issues, cooperating effectively across borders can be a real challenge. Most Western countries can work together, although jurisdictional challenges often get in the way. And obtaining cooperation from nations that may be uncooperative and actively hostile can make some threat actors impossible to deal with,” he told TechNewsWorld.