The Snake cyber espionage toolkit has been under development since at least 2005, according to BAE

'Snake' cyber espionage toolkit unmasked

A highly resilient cyber espionage toolkit known as ‘Snake’ has been unmasked by defence contractor BAE Systems.

The firm’s Applied Intelligence division has today released a threat analysis report as well as a set of technical indicators, which will allow organisations to identify compromises, and security companies to develop improved defences.

The research includes descriptions of how the malware communicates, the distinctive architectures which have evolved over the years, the use of novel tricks to by-pass Windows security, and how it hides from traditional defensive tools.

“The threat described in this report really does raise the bar in terms of what potential targets, and the security community in general, have to do to keep ahead of cyber attackers,” said Martin Sutherland, managing director of BAE Systems Applied Intelligence.

“Hopefully, however, this research will help potential targets to better understand the nature of their threat adversary, and how they can build appropriate defences.”

BAE’s analysis follows a report last week from a German security company that exposed a component from the project, which the report claims has been in development since at least 2005, unlike previously reported. The threat has mostly been seen in Eastern Europe, but also in the USA, UK and other Western European countries.

According to the report, the complexity of the malware and the range of variants and techniques used to support its operation, suggests that its authors and operators are committed and well-funded professionals possessing an arsenal of infiltration tools.

The resilience of the Snake malware in the face of cyber security counter measures is in part a result of its kernel centric architecture, which the researchers say is extraordinarily complex.

Most notable is a novel trick used by the developers to load unsigned drivers in 64-bit Windows machines, bypassing a fundamental element of Windows security – from Vista onwards Windows requires all kernel-mode drivers to be signed with a valid digital signature.

While the campaign has largely managed to remain under the radar of the mainstream security industry, it received significant attention in the past under a different name – Agent.btz or Agent.AWF – in particular in 2008 and again in 2011, when sources familiar with the US Department of Defence disclosed that their classified networks had been breached by an early version.

“What this research once more demonstrates, is how organised and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organisations on a massive scale,” said Sutherland.

“Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.”

To download the full report visit BAE Systems' website.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close