Global advisory warns organizations of Snake malware, purpose-built to avoid large-scale detection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and global partner organizations published Tuesday a detailed technical advisory containing information that can be used to detect and prevent attacks involving the Snake malware, including a recent variant. The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

“We consider Snake to be the most sophisticated cyber espionage tool in the FSB’s arsenal. The sophistication of Snake stems from three principal areas,” the joint advisory disclosed. “First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems.” 

Lastly, the advisory added that Snake malware demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. The advisory has been issued by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), CISA, Cyber National Mission Force (CNMF), Canadian Cyber Security Centre (CCCS), U.K. National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), and New Zealand National Cyber Security Centre (NCSC-NZ).

“Russian government actors have used this tool for years for intelligence collection,” Rob Joyce, NSA director of cybersecurity, said in a media statement. “Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware globally.” 

The NSA added that in the U.S., the FSB has victimized industries including education institutions, small businesses, and media organizations. Critical infrastructure sectors, such as local government, finance, manufacturing, and telecommunications, have also been impacted.

The global advisory said that following open-source reporting by cybersecurity and threat intelligence companies on Snake tactics, techniques, and procedures (TTPs), the advisory identified that the FSB implemented new techniques to evade detection. “The modifications to the implant enhanced challenges in identifying and collectingSnake and related artifacts, directly hampering detection from both host-and network-based defensive tools. The effectiveness of this type of cyberespionage implant depends entirely on its long-term stealth since the objective of an extended espionage operation involves remaining on the target for months or years to provide consistent access to important intelligence,” it added. 

The ‘uniquely sophisticated’ aspects of Snake malware represent a significant effort by the FSB over many years to enable this type of covert access. The advisory also revealed that to conduct operations using the cyber espionage tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. “Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts,” it added.

The advisory said that it has “identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.” 

As one example, FSB hackers used Snake malware to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country, the advisory disclosed. “Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.”

The FSB typically deploys Snake malware to external-facing infrastructure nodes on a network and uses other tools and TTPs on the internal network to conduct additional exploitation operations. “Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. A wide array of mechanisms has been employed to gather user and administrator credentials in order to expand laterally across the network, to include keyloggers, network sniffers, and open source tools,” it added.

Typically, after FSB operators map out a network and obtain administrator credentials for various domains in the network, regular collection operations begin, the advisory added. “In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. FSB operators sometimes deploy a small remote reverse shell along with Snake to enable interactive operations. This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector, or to maintain a minimal presence in a network and avoid detection while moving laterally.”

The advisory said that the Snake malware uses two main methods for communication and command execution – Passive and Active. In general, Snake operators will employ Active operations to communicate with hop points within Snake’s infrastructure; however, hop points can and do sometimes operate using Snake’s Passive method. Snake’s endpoints tend to solely operate using the Passive method.

During Active operations, Snake commands are issued by an FSB operator or a script to a target machine, generally through Forward commands. The response to the command is immediately returned to the point of origin following the same path that the command took to reach its end target.

During Passive operations, Snake implants operate on their own, without the synchronous interaction of FSB operators. “The nodes with which an implant communicates during Passive operations are stored within its 0x2 Container(s) as communication channels. Up to ten communication channels can be present at any time; an operator can change these channels via the Set Config Item command,” the advisory disclosed.

Critical infrastructure organizations should patch all systems and prioritize patching known exploited vulnerabilities, enforce multi-factor authentication, secure and monitor remote desktop protocol and other risky services, and provide end-user awareness and training, to immediately protect against Russian state-sponsored and criminal cybersecurity threats. 

The advisory also provided organizations with many complementary detection techniques to identify some of the more recent variants of Snake malware. However, as Snake is purpose-built to avoid large-scale detection, these mitigation actions must be used judiciously. 

The mitigations include network intrusion detection systems (NIDS) that can feasibly identify some of the more recent variants of Snake and its custom network protocols. Its high-confidence, large-scale (network-wide) detection of custom Snake communication protocols, while its disadvantages cover low visibility of Snake implant operations and encrypted data in transit. There are some potential for false positives in the Snake ‘http,’ ‘http2,’ and ‘tcp’ signatures. Furthermore, Snake malware operators can easily change network-based signatures.

When it comes to host-based detection, its advantages include high confidence based on the totality of positive hits for host-based artifacts, while disadvantages include that many of the artifacts on the host are easily shifted to exist in a different location or with a different name. As the files are fully encrypted, accurately identifying these files is difficult. In the case of memory analysis, the advisory listed its advantages as high confidence as memory provides the greatest level of visibility into Snake’s behaviors and artifacts, while the disadvantages covered the potential impact on system stability and difficult scalability.

The advisory outlined that the mitigations are not meant to protect against the initial access vector and are designed to prevent Snake’s persistence and hiding techniques. It calls upon system owners and operators to change credentials and apply updates, and execute organizational incident response plans. 

In its advisory, the NCSC-UK said that Snake malware and its variants have been a core component in Russian espionage operations carried out by Centre 16 of Russia’s Federal Security Service (FSB) for nearly two decades. “The implant has been used to collect sensitive information from specific targets, such as government networks, research facilities, and journalists, with Snake infrastructure identified in more than 50 countries across the world,” it added.

“The advisory lifts the lid on a highly sophisticated espionage tool used by Russian cyber actors, helping to expose the tactics and techniques being used against specific targets around the world,” Paul Chichester, NCSC director of operations, said. “We strongly encourage organisations to read the technical information about Snake malware and implement the mitigations to help detect and defend against this advanced threat.”

Last month, the NCSC issued an alert to critical national infrastructure (CNI) organizations warning of an emerging threat from state-aligned groups. The threat comes particularly from state-aligned groups sympathetic to Russia’s invasion of Ukraine and has emerged over the past 18 months. 

The Office of the Director of National Intelligence (ODNI) said in March in its latest annual report that Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the U.S., as well as in allied and partner countries because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis. The report also added that Russia continues to train its military space elements and field new anti-satellite weapons to disrupt and degrade U.S. and allied space capabilities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.