ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Operation TunnelSnake

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation TunnelSnake

NamesOperation TunnelSnake (Kaspersky)
Country[Unknown]
MotivationInformation theft and espionage
First seen2018
Description(Kaspersky) In this blog post we will focus on the following key findings that came up in our investigation:

• A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled;
• The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware;
• We observed an additional victim in South Asia, where the threat actor deployed a broad toolset for lateral movement along with the rootkit, including a tool that was formerly used by APT1. Based on the detection timestamps of that toolset, we assess that the attacker had a foothold in the network from as early as 2018;
• A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.
ObservedCountries: Asia and Africa.
Tools usedMoriya.
Information<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>

Last change to this card: 15 May 2021

Download this actor card in PDF or JSON format

Previous: Operation Titan Rain
Next: Operation ViceLeaker

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key