Tool used by Russia’s Federal Security Service
The Australian Cyber Security Centre has released a Joint Cybersecurity Advisory with its international partners on the Snake implant. The Snake implant is a sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets.
The Australian Cyber Security Centre has identified Snake infrastructure in over 50 countries; its targeting is purposeful and tactical, designed to collect intelligence from high-priority targets, such as government networks, research facilities, and journalists.
This Cybersecurity Advisory provides background on Snake’s attribution and detailed descriptions of the implant’s host architecture and network communications.
The technical information and mitigation recommendations provided are designed to assist network defenders in detecting Snake and associated activity. The Snake implant is considered the most sophisticated cyber espionage tool developed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.
To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets.
Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical.
Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.
As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a North Atlantic Treaty Organization (NATO) country.
The FSB has victimised industries within the United States, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications.
This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed.
The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity.
For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage. Introduction What is Snake? We consider Snake the most sophisticated cyber espionage tool in the FSB’s arsenal.
The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture easily incorporates new or replacement components.
This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs, given its complexity.
Following open-source reporting by cybersecurity and threat intelligence companies on Snake tactics, techniques, and procedures (TTPs), the FSB implemented new techniques to evade detection. The modifications to the implant enhanced challenges in identifying and collecting Snake and related artifacts, directly hampering detection from both host- and network-based defensive tools.
The effectiveness of this type of cyber espionage implant depends entirely on its long-term stealth since the objective of an extended espionage operation involves remaining on the target for months or years to provide consistent access to important intelligence. The uniquely sophisticated aspects of Snake represent a significant effort by the FSB over many years to enable this type of covert access.
The FSB began developing Snake as “Uroburos” in late 2003. Development of the initial versions of the implant appeared to be completed around early 2004, with cyber operations first conducted using the implant shortly after that.
The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment, even after public disclosures, instead of abandoning it. The name appears throughout early versions of the code, and the FSB developers also left other unique strings, including “Ur0bUr()sGoTyOu#”, which have publicly returned to haunt them.
Unique features in early versions of Uroburos included a low-resolution image of a portion of a historical illustration of an Uroboros by the German philosopher and theologian Jakob Böhme. One approach to a tertiary backdoor used this image as the key. The same image had also been embedded in other Snake-related components. The image, blown up to a higher resolution, is shown right.
In addition, early FSB developers of the Snake implant left portions of unique code throughout the implant, which revealed inside jokes, personal interests, and taunts directed at security researchers. For instance, the “Ur0bUr()sGoTyOu#” string referenced above was replaced with “gLASs D1cK” in 2014 following some of the public cybersecurity reporting.
Snake operations have been attributed to an available unit within Center 16 of the FSB. This unit more broadly operates the numerous elements of the Turla2 toolset and has subunits spread throughout Russia reflecting historical KGB signals intelligence operations in the Soviet Union.
Snake has been a core component of this unit’s operations for almost as long as Center 16 has been part of the FSB.3 The extensive influence of Snake across the Turla toolset demonstrates its impact on practically every aspect of the unit’s modern era of cyber operations. Daily operations using Snake have been carried out from an FSB facility in Ryazan, Russia, with an increase in Snake activity during FSB working hours in Ryazan, approximately 7:00 AM to 8:00 PM, Moscow Standard Time (GMT+3).
The leading developers were Ryazan-based FSB officers known by monikers included in the code of some versions of Snake. In addition to developing Snake, Ryazan-based FSB officers used it to conduct worldwide operations; these operations differed from others launched from Moscow or other FSB sites based on infrastructure and techniques. While the development and re-tooling of Snake have historically been done by Ryazan-based FSB officers, Snake operations were also launched from an FSB Center 16-occupied building in Moscow.
According to the ACSC, the investigations have identified examples of FSB operators using Snake to their full potential and FSB operators who appeared unfamiliar with Snake’s more advanced capabilities. These observations illustrate the difficulty in using such an advanced toolset across the various geographically dispersed teams comprising this unit within FSB Center 16.
ACSC has been collectively investigating Snake and Snake-related tools for almost 20 years, and other operations by this unit since the 1990s. During that time, the FSB has used Snake in many different operations. They have demonstrated the value placed in this tool by making numerous adjustments and revisions to keep it viable after repeated public disclosures and other mitigations.
Snake’s code and multiple Snake-related tools have been either a starting point or a key influence factor for a diverse range of other highly prolific implants and operational tools in the Turla family. Most notably, this has included Carbon (aka Cobra)—derived from Snake’s code base—and the similarly Snake-adjacent implant Chinch (currently known in open sources as ComRAT).
ACSC has identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake leverages infrastructure across all industries, its targeting is purposeful and tactical. For instance, if an infected system did not respond to Snake communications, the FSB actors would strategically re-infect it within days.
Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a NATO country.
Within the United States, the FSB has victimised industries, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications. Other Tools and TTPs Employed with Snake The FSB typically deploys Snake to external-facing infrastructure nodes on a network and, from there, uses other tools and TTPs on the internal network to conduct additional exploitation operations.
Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. Various mechanisms have been employed to gather user and administrator credentials to expand laterally across the network, including keyloggers, network sniffers, and open-source tools.
Typically, after FSB operators map out a network and obtain administrator credentials for various domains in the network, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. FSB operators sometimes deploy a small remote reverse shell and Snake to enable interactive operations.
This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector or to maintain a minimal presence in a network and avoid detection while moving laterally.
Snake Architecture Snake’s architectural design reflects professional software engineering practices. Critical pathways within the implant are stacks of loosely coupled components that implement well-designed interfaces. In addition to facilitating software development and debugging, this construction allows Snake to use multiple components for the same purpose, choosing the specific component based on environmental considerations.
For example, Snake’s custom network communications protocols function as a stack. All implementations use encryption and transport layers, such as Snake’s custom HTTP or raw TCP socket protocol. Each Snake network protocol stack layer solely implements a specified interface for operability with the two adjacent layers.
The encryption layer and underlying transport layer thus function independently, so any custom Snake network protocol can employ an encryption overlay without any change to the encryption layer code.[4] This modularity allows Snake operators to choose the most logical network transport for the given environment without affecting Snake’s other functionality.
When using a compromised HTTP server as part of the Snake P2P network, the operators can ensure that all traffic to this machine follows the Snake custom HTTP protocol and blends effectively with legitimate traffic.
In the context of a compromised machine that legitimately allows secure shell (SSH) connections, Snake can utilise its custom raw TCP socket protocol instead of its custom HTTP protocol. All other layers of the Snake protocol stack, from the immediately adjacent transport encryption layer to the distant command processing layer, can and do remain entirely agnostic to the transport layer as long as it implements its interface correctly.
This architecture also allows the Snake developers to easily substitute a new communications protocol when they believe one has been compromised without necessitating any downstream changes in the code base.
Lastly, this design facilitates the development of fully interoperable Snake implants running on different host operating systems. Snake’s technical sophistication extends from the software architecture to lower-level software implementation.
Original versions of Snake were developed as early as 2003 before many of the modern programming languages and frameworks that facilitate this type of modular development were available. Snake is written entirely in C, which provides significant advantages in low-level control and efficiency but does not provide direct support for objects or interfaces at the language level and provides no assistance with memory management.
The developers of Snake successfully implemented the implant’s complex design in C with very few bugs, including careful avoidance of the common pitfalls associated with null-terminated strings and the mixing of signed and unsigned integers. Additionally, the developers demonstrate an understanding of computer science principles throughout the implant’s implementation.
This includes selecting and correctly coding asymptotically optimal algorithms, designing and utilising efficient custom encoding methodologies that closely resemble common encoding schemes, and securely handling the numerous possible errors associated with systems-level programming. Capitalising on Mistakes Although the Snake implant is a highly sophisticated espionage tool, it does not escape human error.
A tool like Snake requires more familiarity and expertise to use correctly, and in several instances, Snake operators should have used it more effectively. Various mistakes in its development and operation provided us with a foothold into the inner workings of Snake. They were key factors in developing capabilities that have allowed for tracking Snake and manipulating its data.
The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key set created by Snake during the key exchange needs to be longer to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems.
Also, in some instances of what appeared to be rushed deployments of Snake, the operators should have stripped the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments, as seen in the following figure.