Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Like our recent coverage of the People’s Republic of China’s advanced persistent threat (APT) Volt Typhoon, OODA Loop Contributor Emilio Iasiello led the way with his recent coverage of the international cooperation that led to the multi-lateral disruption of a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB) known as “Turla” (also known by names like Venomous Bear and Waterbug) and an active global malware known as “The Snake” malware- owned and operated by Turla – was also disrupted, which US agencies describe as the “premiere espionage tool” of Russia’s FSB intelligence agency.
Following is a deeper dive into this major cyber offensive operation – including the role OODA CTO Bob Gourley has in the origin story of the decades-long hunt for Turla and discovery of “The Snake” malware.
Note: Steps for mitigation efforts by your organization against Turla and The Snake malware are included here (excerpted from a CISA Joint Advisory).
From the DoJ on May 9th, 2023:
The Justice Department today announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”, that the U.S. Government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB). For nearly 20 years, this unit, referred to in court documents as “Turla,” has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation. After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world.
Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components. Within the United States, the operation was executed by the FBI pursuant to a search warrant issued by U.S. Magistrate Judge Cheryl L. Pollak for the Eastern District of New York, which authorized remote access to the compromised computers. This morning, the court unsealed redacted versions of the affidavit submitted in support of the application for the search warrant, and of the search warrant issued by the court. For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance. (1)
According to Wired: “In its announcement—and in court documents filed to carry out the operation—the FBI and DOJ went further, and officially confirmed for the first time the reporting from a group of German journalists last year which revealed that Turla works for the FSB’s Center 16 group in Ryazan, outside Moscow. It also hinted at Turla’s incredible longevity as a top cyberspying outfit: An affidavit filed by the FBI states that Turla’s Snake malware had been in use for nearly 20 years.” (2)
OODA Loop’s Iasiello offered the following insights and reasons for the timing of Operation Medusa:
“Not surprisingly, there has been little-to-no acknowledgment from Russia, who undoubtedly is still feeling the sting of the disruption of one of – if not the – most sophisticated cyberoperations group in its arsenal. The breadth of Turla operations no doubt has been several years in the making, and while the United States and other allied countries have closely tracked Turla’s progression, there has never been a prior attempt to halt its operations. There are several possible explanations for this, including the United States’ desire to keep it running so it could further study how and from where Turla operated. Or it could reflect the United States not having a full understanding of the group’s operations until more recently when it could organize a response to it. Or perhaps some combination of the two.
The likely timing of the disruption may indicate that the Five Eyes sought to preemptively dismantle Turla’s infrastructure in advance of suspecting an impending attack (perhaps in concert with Russia’s kinetic military spring offensive). Turla conducted some of the early cyber reconnaissance against specific Ukrainian targets in the days leading up to the physical invasion (as a way of executing follow-on surreptitious data theft to support strategic needs, according to one cybersecurity vendor). It would follow that Turla may have been ramping up its cyber espionage apparatus to ascertain Ukraine’s plans for a spring counteroffensive, as well as execute similar campaigns against European and NATO countries to glean internal discussions about the conflict, discover any changes in their positions, intent to provide additional support – or any other relevant change in policy.”
by Andy Greenberg, Senior Writer, Wired
OODA's CTO @bobgourley contributed context on the first Advanced Persistent Threat in this Wired article. Bob's pioneering work in leveraging intelligence in the cyber domain has resulted in lessons relevant to all cyber defenders. https://t.co/kKzVasPI2e
— OODA (@ooda) May 31, 2023
“From USB worms to satellite-based hacking, Russia’s FSB hackers known as Turla have spent 25 years distinguishing themselves as “adversary number one.”
OODA LLC and OODA Loop have a personal and professional stake in the disruption of Turla that dates back decades.
Wired magazine recently reached out to OODA CTO Bob Gourley to capture his personal retelling of the early stages of the hunt for and discovery of XXXX
From the Wired coverage:
ASK WESTERN CYBERSECURITY intelligence analysts who their “favorite” group of foreign state-sponsored hackers is—the adversary they can’t help but grudgingly admire and obsessively study—and most won’t name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China’s APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won’t even point to Russia’s notorious Sandworm hacker group, despite the military unit’s unprecedented blackout cyberattacks against power grids or destructive self-replicating code.
Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.
In fact, Turla has arguably been operating for at least 25 years, says Thomas Rid, a professor of strategic studies and cybersecurity historian at Johns Hopkins University. He points to evidence that it was Turla—or at least a kind of proto-Turla that would become the group we know today—that carried out the first-ever cyberspying operation by an intelligence agency targeting the US, a multiyear hacking campaign known as Moonlight Maze.
Here’s a brief history of Turla’s two-and-a-half decades of elite digital spying, stretching back to the very beginning of the state-sponsored espionage arms race.
“This was not just a couple of kids. This was a well-resourced, state-sponsored organization. It was the first time, really, where a nation-state was doing this.” – OODA CTO Bob Gourley
By the time the Pentagon began investigating a series of intrusions of US government systems as a single, sprawling espionage operation, it had been going on for at least two years and was siphoning American secrets on a massive scale. In 1998, federal investigators discovered that a mysterious group of hackers had been prowling the networked computers of the US Navy and Air Force, as well as those of NASA, the Department of Energy, the Environment Protection Agency, the National Oceanic and Atmospheric Administration, a handful of US universities, and many others. One estimate would compare the hackers’ total haul to a stack of papers three times the height of the Washington Monument.
From early on, counterintelligence analysts believed that the hackers were Russian in origin, based on their real-time monitoring of the hacking campaign and the types of documents they targeted, says Bob Gourley, a former US Defense Department intelligence officer who worked on the investigation. Gourley says that it was the hackers’ apparent organization and persistence that made the most lasting impression on him. “They’d reach a wall, and then someone with different skills and patterns would take over and break through that wall,” Gourley says. “This was not just a couple of kids. This was a well-resourced, state-sponsored organization. It was the first time, really, where a nation-state was doing this.”
Investigators found that when the Moonlight Maze hackers—a codename given to them by the FBI—exfiltrated data from their victims’ systems, they used a customized version of a tool called Loki2, and would continually tweak that piece of code over the years. In 2016, a team of researchers including Rid and Guerrero-Saade would cite that tool and its evolution as evidence that Moonlight Maze was in fact the work of an ancestor of Turla: They pointed to cases where Turla’s hackers had used a unique, similarly customized version of Loki2 in its targeting of Linux-based systems fully two decades later.
For the history covering 2008 through 2022, go to the following sections in the Wired article:
2008: Agent.btz – Ten years after Moonlight Maze, Turla shocked the Defense Department again. The NSA discovered in 2008 that a piece of malware was beaconing out from inside the classified network of the DOD’s US Central Command. That network was “air-gapped”—physically isolated such that it had no connections to internet-connected networks. And yet someone had infected it with a piece of self-spreading malicious code, which had already copied itself to an untold number of machines. Nothing like it had ever been seen before on US systems.
2019: Piggybacking on Iran – Plenty of hackers use “false flags,” deploying the tools or techniques of another hacker group to throw investigators off their trail. In 2019, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cybersecurity Center warned that Turla had gone much further: It had silently taken over another hacker group’s infrastructure to commandeer their entire spying operation. In a joint advisory, the US and UK agencies revealed that they’d seen Turla not only deploy malware used by an Iranian group known as APT34 (or Oilrig) to sow confusion, but that Turla had also managed to hijack the command-and-control of the Iranians in some cases, gaining the ability to intercept data that the Iranian hackers had been stealing and even sending their own commands to the victim computers the Iranians had hacked.
2022: Hijacking a Botnet – Cybersecurity firm Mandiant reported earlier this year that it had spotted Turla carrying out a different variant of that hacker-hijacking trick, this time taking over a cybercriminal botnet to sift through its victims. In September 2022, Mandiant found that a user on a network in Ukraine had plugged a USB drive into their machine and infected it with the malware known as Andromeda, a decade-old banking trojan. But when Mandiant looked more closely, they found that that malware had subsequently downloaded and installed two tools Mandiant had previously tied to Turla.
Last week, the FBI announced that it had struck back against Turla. By exploiting a weakness in the encryption used in Turla’s Snake malware and remnants of code that the FBI had studied from infected machines, the bureau announced it had learned to not only identify computers infected with Snake, but also send a command to those machines that the malware would interpret as an instruction to delete itself. Using a tool it had developed, called Perseus, it had purged Snake from victims’ machines around the world. Along with CISA, the FBI also released an advisory that details how Turla’s Snake sends data through its own versions of the HTTP and TCP protocols to hide its communications with other Snake-infected machines and Turla’s command-and-control servers.
That disruption will no doubt undo years of work for Turla’s hackers, who have been using Snake to steal data from victims around the world since as early as 2003, even before the Pentagon discovered Agent.btz. The malware’s ability to send well-concealed data covertly between victims in a peer-to-peer network made it a key tool for Turla’s espionage operations. (2)
What’s Next?
“Really, it’s adversary number one.”
Wired’s Greenberg fast-forwarded with the following:
Given [its] history, the group will absolutely be back, says Rid, even after the FBI’s latest disruption of its toolkit. “Turla is really the quintessential APT,” says Rid [of Johns Hopkins], using the abbreviation for “advanced persistent threat,” a term the cybersecurity industry uses for elite state-sponsored hacking groups. “Its tooling is very sophisticated, it’s stealthy, and it’s persistent. A quarter-century speaks for itself. Really, it’s adversary number one.”
Throughout its history, Turla has repeatedly disappeared into the shadows for years, only to reappear inside well-protected networks including those of the US Pentagon, defense contractors, and European government agencies. But even more than its longevity, it’s Turla’s constantly evolving technical ingenuity—from USB worms, to satellite-based hacking, to hijacking other hackers’ infrastructure—that’s distinguished it over those 25 years, says Juan Andres Guerrero-Saade, who leads threat intelligence research at the security firm SentinelOne. “You look at Turla, and there are multiple phases where, oh my god, they did this amazing thing, they pioneered this other thing, they tried some clever technique that no one had done before and scaled it and implemented it,” says Guerrero-Saade. “They’re both innovative and pragmatic, and it makes them a very special APT group to track.”
“This is an infinite game. If they’re not already back in those systems, they will be soon.”
But no one should deceive themselves that dismantling the Snake network—even if the malware could be wholly eradicated—would mean the end of one of Russia’s most resilient hacker groups. “This is one of the best actors out there, and there’s no doubt in my mind that the cat-and-mouse game continues,” says Rid, of Johns Hopkins. “More than anyone else, they have a history of evolving. When you shine a light on their operations and tactics and techniques, they evolve and retool and try to become more stealthy again. That’s the historical pattern that began in the 1990s.”
“For them, those gaps in your timeline are a feature,” Rid adds, pointing to the sometimes-yearslong stretches when Turla’s hacking techniques largely stayed out of news stories and security researchers’ papers.
As for Gourley, who hunted Turla 25 years ago as an intelligence officer in the midst of Moonlight Maze, he applauds the FBI’s operation. But he also warns that killing some Snake infections is very different from defeating Russia’s oldest cyberspying team. “This is an infinite game. If they’re not already back in those systems, they will be soon,” Gourley says. “They’re not going away. This is not the end of cyberespionage history. They will definitely, definitely be back.” (2)
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.
We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.
This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.
Download the PDF version of this report: Hunting Russian Intelligence “Snake” Malware.pdf
Note that the mitigations that follow are not meant to protect against the initial access vector and are only designed to prevent Snake’s persistence and hiding techniques.
System owners who are believed to be compromised by Snake are advised to change their credentials immediately (from a non-compromised system) and to not use any type of passwords similar to those used before. Snake employs a keylogger functionality that routinely returns logs back to FSB operators. Changing passwords and usernames to values which cannot be brute forced or guessed based on old passwords is recommended.
System owners are advised to apply updates to their Operating Systems. Modern versions of Windows, Linux, and MacOS make it much harder for adversaries to operate in the kernel space. This will make it much harder for FSB actors to load Snake’s kernel driver on the target system.
If system owners receive detection signatures of Snake implant activity or have other indicators of compromise that are associated with FSB actors using Snake, the impacted organization should immediately initiate their documented incident response plan.
We recommend implementing the following Cross-Sector Cybersecurity Performance Goals (CPGs) to help defend against FSB actors using Snake, or mitigate negative impacts post-compromise:
CPG 2.A: Changing Default Passwords will prevent FSB actors from compromising default credentials to gain initial access or move laterally within a network.
CPG 2.B: Requiring Minimum Password Strength across an organization will prevent FSB actors from being able to successfully conduct password spraying or cracking operations.
CPG 2.C: Requiring Unique Credentials will prevent FSB actors from compromising valid accounts through password spraying or brute force.
CPG 2.E Separating User and Privileged Accounts will make it harder for FSB actors to gain access to administrator credentials.
CPG 2.F. Network Segmentation to deny all connections by default unless explicitly required for specific system functionality, and ensure all incoming communication is going through a properly configured firewall.
CPG 2.H Implementing Phishing Resistant MFA adds an additional layer of security even when account credentials are compromised and can mitigate a variety of attacks towards valid accounts, to include brute forcing passwords and exploiting external remote services software.
CPG 4.C. Deploy Security.txt Files to ensure all public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9118.
This advisory was developed as a joint effort by an international partnership of multiple agencies in furtherance of the respective cybersecurity missions of each of the partner agencies, including our responsibilities to develop and issue cybersecurity specifications and mitigations. This partnership includes the following organizations:
Collectively, we use a variety of sources, methods, and partnerships to acquire information about foreign cyber threats. This advisory contains the information we have concluded can be publicly released, consistent with the protection of sources and methods and the public interest. (3)
https://oodaloop.com/archive/2021/06/14/cybersecurity-like-espionage-is-an-infinite-game/
https://oodaloop.com/archive/2023/05/18/turla-disrupted-what-does-that-mean-for-russian-cyber-operations/
https://oodaloop.com/archive/2023/06/02/microsoft-cisa-nsa-fbi-and-the-five-eyes-on-the-prcs-advanced-persistent-threat-volt-typhoon
https://oodaloop.com/archive/2023/06/01/federal-deadlines-for-updates-to-known-exploited-vulnerabilities-and-zero-days-patches/
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence