The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.
US Authorities have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a North Atlantic Treaty Organization (NATO) country. The FSB has victimized industries within the United States, including education, small businesses, media organizations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications.
A 48-page joint seal Cybersecurity Advisory (CSA) was issued and provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications.[1] This CSA also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.
The development of the Snake malware started under the name "Uroburos" in late 2003, while the first versions of the implant were seemingly finalized by early 2004, with Russian state hackers deploying the malware in attacks immediately after. The malware is linked to a unit within Center 16 of the FSB, the notorious Russian Turla hacking group, and was disrupted following a coordinated effort named Operation MEDUSA.[2]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/3/Joint+Cybersecurity+Advisory+-+5.9.2023.pdf
[2] https://www.bleepingcomputer.com/news/security/fbi-nukes-russian-snake-data-theft-malware-with-self-destruct-command/
Comments