International security agencies warn of Russian “Snake” malware threat

Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

Security agencies from five countries have issued a joint advisory revealing technical details about a sophisticated espionage tool used by Russian cyber actors against their targets. “Snake malware” and its variants have been a core component in Russian espionage operations carried out by Center 16 of Russia’s Federal Security Service (FSB) for nearly two decades, according to the security notice.

Identified in infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets such as government networks, research facilities, and journalists.

The advisory was published by the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), US Cyber National Mission Force (CNMF), the UK National Cyber Security Center (NCSC), the Canadian Centre for Cyber Security (CCCS), the Canadian Communications Security Establishment (CSE), the Australian Cyber Security Centre (ACSC), and the New Zealand NCSC. It is designed to help organizations understand how Snake operates and provides suggested mitigations to help defend against the threat.

The security notice comes in the wake of a separate warning from the UK NCSC outlining a new class of Russian cyber adversary threatening critical infrastructure.

Operation MEDUSA neutralizes Snake malware campaign

On the same day the advisory was published, the US Justice Department announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by Snake malware. Operation MEDUSA disabled Snake malware on compromised computers using an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.

“Today’s announcement demonstrates the FBI’s willingness and ability to pair our authorities and technical capabilities with those of our global partners to disrupt malicious cyber actors,” said assistant director Bryan Vorndran of the FBI’s Cyber Division. “When it comes to combating Russia’s attempts to target the US and our allies using complex cyber tools, we will not waver in our work to dismantle those efforts.”

Snake malware’s sophistication stems from three principal areas

Snake is considered the most sophisticated cyber espionage tool in the FSB’s arsenal, stemming from three principal areas, the advisory read. “First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.”

The FSB has also implemented new techniques to help Snake evade detection, with the effectiveness of the cyber espionage implant depending on its long-term stealth to provide consistent access to important intelligence. “The uniquely sophisticated aspects of Snake represent significant effort by the FSB over many years to enable this type of covert access.”

Snake often deployed to external-facing infrastructure nodes

Snake is typically deployed to external-facing infrastructure nodes on a network, and from there uses other tools and tactics, techniques, and procedures (TTPs) on the internal network to conduct additional exploitation operations, the advisory continued. “Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. A wide array of mechanisms has been employed to gather user and administrator credentials in order to expand laterally across the network, to include keyloggers, network sniffers, and open-source tools.”

Once actors map out a network and obtain administrator credentials for various domains, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. “FSB operators sometimes deploy a small remote reverse shell along with Snake to enable interactive operations.” This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector, or to maintain a minimal presence in a network and avoid detection while moving laterally.

Snake uses two main methods for communication and command execution, namely passive and active. Snake operators generally employ active operations to communicate with hop points within Snake’s infrastructure, while Snake’s endpoints tend to solely operate using the passive method.

Methods for detecting Snake malware

The advisory outlined several detection methodologies available for Snake, outlining their advantages and disadvantages. These are:

• Network-based detection: Network intrusion detection systems (NIDS) can feasibly identify some of the more recent variants of Snake and its custom network protocols. Advantages include high-confidence, large-scale (network-wide) detection of custom Snake communication protocols. Disadvantages include low visibility of Snake implant operations and encrypted data in transit. There is some potential for false positives in the Snake HTTP, HTTP2, and TCP signatures. Snake operators can easily change network-based signatures.
• Host-based detection: Advantages include high confidence based on totality of positive hits for host-based artifacts. Disadvantages include that many of the artifacts on the host are easily shifted to exist in a different location or with a different name. As the files are fully encrypted, accurately identifying these files is difficult.
• Memory analysis: Advantages include high confidence as memory provides the greatest level of visibility into Snake’s behaviors and artifacts. Disadvantages include potential impact on system stability, difficult scalability.

Preventing Snake’s persistence and hiding techniques

The advisory also described strategies for preventing Snake’s persistence and hiding techniques. The first is for system owners believed to be compromised by Snake to change their credentials immediately (from a non-compromised system) and to not use any type of passwords similar to those used before. “Snake employs a keylogger functionality that routinely returns logs back to FSB operators. Changing passwords and usernames to values which cannot be brute-forced or guessed based on old passwords is recommended.”

System owners are also advised to apply updates to their operating systems, as modern versions of Windows, Linux, and MacOS make it much harder for adversaries to operate in the kernel space. “This will make it much harder for FSB actors to load Snake’s kernel driver on the target system.”

If system owners receive detection signatures of Snake implant activity or have other indicators of compromise that are associated with FSB actors using Snake, the impacted organization should immediately initiate their documented incident response plan, the notice added. This should include separating user and privileged accounts to make it harder for FSB actors to gain access to administrator credentials, employing network segmentation to deny all connections by default unless explicitly required for specific system functionality, and implementing phishing resistant multifactor authentication (MFA) to add an additional layer of security even when account credentials are compromised.