US-CERT- Hunting Russian Intelligence “Snake” Malware

Started by Netwörkheäd, May 09, 2023, 06:02:34 PM

Previous topic - Next topic

Netwörkheäd

Hunting Russian Intelligence "Snake" Malware

[html]

SUMMARY


The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.


We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.


This Cybersecurity Advisory (CSA) provides background on Snake's attribution to the FSB and detailed technical descriptions of the implant's host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a">Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and https://www.cisa.gov/russia">CISA's Russia Cyber Threat Overview and Advisories webpage.


Download the PDF version of this report:

Let's not argue. Let's network!