BAE Systems Applied Intelligence unveils extent of venomous nature of complex cyber espionage ‘Snake’ operation which has been in development since 2005. New research from BAE Systems Applied Intelligence today reveals further details on how the recently disclosed ‘Snake’ cyber espionage toolkit operates. The research includes descriptions of how the malware communicates, the distinctive architectures which have evolved over the years, the use of novel tricks to by-pass Windows security, and how it hides from traditional defensive tools.
In addition, timelines of the malware development reveal that, unlike previously reported, the malware has actually been in development since at least 2005. From the complexity of the malware, and the range of variants and techniques used to support its operation, the research also suggests that Snake’s authors and operators are committed and well-funded professionals.
The BAE Systems Applied Intelligence analysis follows a report last week from a German security company that exposed a component from this project, and opened the lid on a campaign which has been a covert but persistent threat. BAE Systems Applied Intelligence has built a picture of the activity, and in particular the countries in which this has been seen – mostly in Eastern Europe, but also in the US, UK and other Western European countries.
This threat has received significant attention in the past, albeit under a different name – Agent.BTZ. It came to the surface in 2008 and again in 2011, when sources familiar with the US Department of Defence disclosed that their classified networks had been breached by an early version from this same operation. Since then the authors have continued development and deployed many advanced features that make it a far more menacing threat than previously. Until now the campaign has largely managed to remain under the radar of the mainstream security industry.
The resilience of the Snake malware in the face of cyber security counter measures is in part a result of its kernel centric architecture, which is extraordinary in its complexity. Its design suggests that attackers possess an arsenal of infiltration tools and bears all the hallmarks of a highly sophisticated cyber operation. Most notable is the trick used by the developers to load unsigned malware in 64-bit Windows machines, by-passing a fundamental element of Windows security.
In conjunction with the threat analysis report, BAE Systems Applied Intelligence is also releasing today a set of technical indicators which will allow organisations to identify compromises, and security companies to develop improved defences.
Martin Sutherland, Managing Director, BAE Systems Applied Intelligence, said:
“What this research once more demonstrates, is how organised and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organisations on a massive scale. Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.
“The threat described in this report really does raise the bar in terms of what potential targets, and the security community in general, have to do to keep ahead of cyber attackers. As the Snake research clearly illustrates, the challenge of keeping confidential information safe will continue for many years to come. Hopefully, however, this research will help potential targets to better understand the nature of their threat adversary, and how they can build appropriate defences.”