CISA Alert AA23-129A – Hunting Russian intelligence “Snake” malware.

This is a CISA Cybersecurity Alert.

ID number Alpha Alpha Two Three tack One Two Nine Alpha.

Original release date: May 9th, 2023. 

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service, or FSB, for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer network of numerous Snake-infected computers worldwide. Many systems in this network serve as relay nodes that disguise operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

This advisory was developed as a joint effort by an international partnership of multiple agencies, including CISA, FBI, NSA, the Cyber National Mission Force, the UK National Cyber Security Centre, the Canadian Centre for Cyber Security and Communications Security Establishment, the Australian Cyber Security Centre, and the New Zealand National Cyber Security Centre. 

These partners have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.

The documentation linked in the show notes provides detailed technical descriptions of the implant’s architecture and network communications. This Advisory also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this Advisory are provided to assist network defenders in detecting Snake and associated activity.

The authoring agencies encourage all organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of similar incidents. 

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. 

A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.