'Snake' APTs call for new security approach
'Snake' APTs call for new security approach

British cyber specialist BAE has issued a “call to arms” to security professionals to find new ways to combat advanced threats, after revealing that the Russian ‘Snake' malware campaign has stayed almost undetected for at least eight years while infiltrating highly sensitive systems.

BAE Systems Applied Intelligence (formerly Detica) revealed the ‘venomous' nature of Snake in a 7 March report, including its ability to hide in the victim's web traffic, more than 50 modules that allow it to adapt for different cyber attacks, a stealth mode to lie dormant for a specified number of days, and its ability to exploit a privilege escalation vulnerability in Oracle's VirtualBox malware analysis system, which enables it to bypass Windows 64-bit security – akin to a ‘zero-day' exploit, BAE says.

BAE has analysed more than 100 samples of Snake and found it targeting countries mainly in Eastern Europe, but also the US, UK and other Western European countries. The malware can infiltrate Windows XP, Vista, 7 and 8-based systems.

BAE has also confirmed Snake is a “far more menacing” update of the notorious Agent.BTZ attack, which in 2008 infiltrated the US Defence and State departments' network for transmitting classified material, and the Joint Worldwide Intelligence Communication System which was used to send top-secret information to US officials worldwide.

Agent.BTZ was also spotted when it ‘beaconed' out stolen data to its command server, but BAE says Snake can now hide its stolen data within the user's internet traffic, describing its architecture as “extraordinary in its complexity” and “quite unique”.

David Garfield, managing director for cyber security at BAE Systems Applied Intelligence, told SCMagazineUK.com: “It's very good at hiding in the actual web browser of the user so if you're trying to look for abnormal behaviour it's nigh-on impossible, because it's literally manipulating the web traffic that that user's already sending.”

Garfield said Snake also has a peer-to-peer mode that enables it to ‘hop' across networks protected from the internet until it finds a server that's connected. BAE's report confirmed: “The architecture is designed to grant Snake as much flexibility as possible. When most of the infected hosts are cut off from the outside world, it only needs one host to be connected online. The traffic is then routed through that host to make external control and data exfiltration still possible.”

Snake is the same toolkit as ‘Uroburos' (meaning snake or dragon), revealed by German research firm G Data SecurityLabs last month as stealing confidential data from government and other high-profile targets since 2011. But BAE's analysis shows Snake has been in existence since at least 2005, six years longer than previously thought.

G Data linked the toolkit to the Russian intelligence service. BAE notes its use of the Russian language but says only that a “well-established cyber espionage operation” is behind the attack.

In between its appearances in 2008 and 2011, BAE says that the campaign remained largely hidden from sight. And because of Snake's stealth and sophistication, BAE is urging security professionals to change their approach to this and other APT attacks.

Garfield told SCMagazineUK.com: “Snake is up with the most sophisticated tools we've seen out in the wild. That's led to it being able to remain largely undetected for so long. Its modular nature and architecture shows it can be rapidly improved and evolved. It remains a threat and this will be an ongoing battle.”

Garfield warned that while BAE is now sending out signatures and indicators to help CISOs spot the attack, Snake will inevitably evolve to evade these measures.

As a result, Garfield said: “The security community needs to come together - it's a call to arms to the community to look at this and other similar threat groups to try and understand how these more covert and more sophisticated pieces of malware can be detected in the future. It just underlines the gap that exists in current security measures.”

Garfield suggested CISOs need to move away from relying on signature and indicator-based threat indicators, to “more behavioural approaches and more sophisticated monitoring tools to look at all the data available to you to try and detect these attacks”.

Security expert Brian Honan of BH Consulting agreed. He told SCMagazineUK.com via email: “If organisations are solely relying on defences that are good at protecting against known attacks then they are vulnerable to much of the more advanced malware that is out there. In particular, if such an organisation should become targeted by sophisticated attackers they are vulnerable to attack tools like Snake. To better protect themselves organisations should look for unusual types of behaviour on their systems and networks.”

Honan said: “Too often when we help clients investigate breaches we find they could have detected, or indeed prevented, the breach if they had been proactively monitoring their logs and network. Proactive monitoring of network traffic, such as DNS requests, could indicate suspicious traffic being directed to unusual hosts. Likewise effective monitoring of system and security logs can provide early indications of a compromise.”

Snake can operate at both kernel and user level. In its 2008 guise, it got into the US intelligence network via a flash drive on a computer, but Garfield said it can now infect systems through an email attachment or link to a website.

BAE's report ‘Snake Campaign & Cyber Espionage Toolkit' is available at http://www.baesystems.com/ai/snakemalware. BAE urges CISOs to search their logs for connections to the Snake command and control servers listed in the report, search for MD5 hashes of the known samples shown in the report, use indicators of compromise for building host-based rules and deploy SNORT rules for network-based detection of Snake.