The Snake Campaign

The Snake Campaign

February 2014 - This report from BAE Systems provides further details on how the recently disclosed ‘Snake’ cyber espionage toolkit operates. Timelines of the malware development show this to be much bigger campaign than previously known. Specifically it reveals that the malware has actually been in development since at least 2005. From the complexity of the malware, and the range of variants and techniques used to support its operation, the research also suggests that Snake’s authors and operators are committed and well-funded professionals.

Our report includes descriptions of:

• How the malware communicates,
• The distinctive architectures which have evolved over the years,
• The use of novel tricks to by-pass Windows security,
• How it hides from traditional defensive tools.

The BAE Systems' analysis follows a report from a German security company that exposed a component from this project, and opened the lid on a campaign which has been a covert but persistent threat. BAE Systems has built a picture of the activity, and in particular the countries in which this has been seen - mostly in Eastern Europe, but also in the US, UK and other Western European countries.

This threat has received significant attention in the past, albeit under a different name - Agent.BTZ. It came to the surface in 2008 and again in 2011, when sources familiar with the US Department of Defence disclosed that their classified networks had been breached by an early version from this same operation.

Since then the authors have continued development and deployed many advanced features that make it a far more menacing threat than previously. Until now the campaign has largely managed to remain under the radar of the mainstream security industry.

In conjunction with the threat analysis, the report also contains a set of technical indicators which will allow organisations to identify compromises, and security companies to develop improved defences.