FBI officials on Tuesday dropped a major bombshell: After spending years monitoring exceptionally stealthy malware that one of the Kremlin’s most advanced hacker units had installed on hundreds of computers around the world, agents unloaded a payload that caused the malware to disable itself.
The counter hack took aim at Snake, the name of a sprawling piece of cross-platform malware that for more than two decades has been in use for espionage and sabotage. Snake is developed and operated by Turla, one of the world’s most sophisticated APTs, short for advanced persistent threats, a term for long-running hacking outfits sponsored by nation states.
Inside jokes, taunts, and mythical dragons
If nation-sponsored hacking was baseball, then Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of the US Department of Defense in 2008, and more recently the German Foreign Office and France’s military. The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.
One of the most powerful tools in Turla’s arsenal is Snake, a digital Swiss Army knife of sorts that runs on Windows, macOS, and Linux. Written in the C programming language, Snake comes as a highly modular series of pieces that are built on top of a massive peer-to-peer network that covertly links one infected computer with another. Snake, the FBI said, has to date spread to more than 50 countries and infected computers belonging to NATO member governments, a US journalist who has covered Russia, and sectors involving critical infrastructure, communications, and education.
A short list of Snake capabilities includes a backdoor that allows Turla to install or uninstall malware on infected computers, send commands, and exfiltrate data of interest to the Kremlin. A professionally designed piece of software, Snake uses several layers of custom encrypt commands and exfiltrated data. Over the P2P network, the encrypted commands and data travel through a chain of hop points made up of other infected machines in a way that makes it difficult to detect or track the activity.
The origins of Snake date back to at least 2003, with the creation of a precursor called “Uroburos,” a variation of ouroboros, which is an ancient symbol depicting a serpent or dragon eating its own tail. A low-resolution image of German philosopher and theologian Jakob Böhme, which appears below, at one point served as the key to a redundant backdoor Turla would install on some hacked endpoints.
The Uroburos name lived on in early versions of the malware, even after it was renamed Snake—for instance, in the string “Ur0bUr()sGoTyOu#.” In 2014, the string was replaced with “gLASs D1cK.” Other strings allude to inside jokes, personal interests of the developers, and taunts directed at security researchers who analyze or counter their code.