The National Security Agency (NSA) and several partner agencies have identified infrastructure for Snake malware—a sophisticated Russian cyberespionage tool—in over 50 countries worldwide.
To assist network defenders in detecting Snake and any associated activity, the agencies are publicly releasing the joint Cybersecurity Advisory (CSA), “Hunting Russian Intelligence “Snake” Malware” today.
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.
The agencies, which include the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Cyber National Mission Force (CNMF), Canadian Cyber Security Centre (CCCS), United Kingdom National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), and New Zealand National Cyber Security Centre (NCSC-NZ) attribute Snake operations to a known unit within Center 16 of Russia’s Federal Security Service (FSB). The international coalition has identified Snake malware infrastructure across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia.
“Russian government actors have used this tool for years for intelligence collection,” said Rob Joyce, NSA Director of Cybersecurity. “Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware globally.”
Malicious cyber actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, through a victim in a North Atlantic Treaty Organization (NATO) country.
In the U.S., the FSB has victimized industries including education institutions, small businesses, and media organizations. Critical infrastructure sectors, such as local government, finance, manufacturing, and telecommunications, have also been impacted.
Typically, Snake malware is deployed to external-facing infrastructure nodes on a network. From there, it uses other tools, and techniques, tactics, and procedures (TTPs) on the internal network to conduct additional exploitation operations.
This CSA focuses on one of the more recent variants of Snake. It provides background on Snake’s attribution to the FSB and detailed technical information and mitigation recommendations to assist network defenders in protecting against Snake-associated malicious activity.