A group of security agencies from five countries has issued a joint advisory about a “Snake malware”, an espionage tool used by Russian cyber actors against their targets. The malware and its variants have reportedly been used by Russia’s Federal Security Service (FSB) for almost two decades to gather sensitive intelligence from government networks, research facilities, and journalists. Security researchers have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia. The FSB has implemented new techniques to help the malware evade detection, and Snake is typically deployed to external-facing infrastructure nodes on a network. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and designed to hamper detection and collection efforts.

The advisory, published by the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), US Cyber National Mission Force (CNMF), the UK National Cyber Security Center (NCSC), the Canadian Centre for Cyber Security (CCCS), the Canadian Communications Security Establishment (CSE), the Australian Cyber Security Centre (ACSC), and the New Zealand NCSC, aims to increase awareness about how Snake operates and provides suggestions to defend against the threat.

The security bulletin was released in the wake of a separate warning from the UK NCSC about a new class of Russian cyber adversary threatening critical infrastructure. The UK NCSC recently revealed that cyberattacks attributed to Russia, aimed at compromising the critical infrastructure of countries such as the US and Ukraine, have increased in frequency and sophistication.

Snake is considered the most sophisticated cyber espionage tool in the FSB’s arsenal, thanks to its ability to remain hidden from victims and its internal technical architecture, which allows for the easy incorporation of new or replacement components. The malware is known for its careful software engineering design and implementation and contains surprisingly few bugs given its complexity.

On the same day that the advisory was published, the US Justice Department announced the completion of an operation designed to disrupt a global peer-to-peer network of computers compromised by Snake malware. The operation, named MEDUSA, disabled Snake malware on compromised computers using an FBI-created tool called PERSEUS, which issued commands that caused the malware to overwrite its own vital components.

According to the FBI’s Cyber Division, the completion of the court-authorized MEDUSA operation demonstrates the US authorities and the technical capabilities available to US and global partners to disrupt malicious cyber actors. The FBI and other agencies are willing and able to dismantle the efforts of foreign threat actors trying to target the US and its allies using complex cyber tools.

The FSB has long relied on Snake to gather sensitive intelligence from high-priority targets, including government networks, research facilities, and journalists, across the globe. Therefore, it is essential that organizations remain vigilant, monitor their networks, and follow the recommended mitigations outlined in the joint advisory to protect their networks against future Snake attacks.

The advisory also outlined several detection methodologies available for Snake, including network-based detection, host-based detection, and memory analysis. However, these methods have disadvantages associated with false positives, low visibility, difficulty in accurately identifying files, potential impact on system stability, and difficult scalability. Therefore, it is recommended that system owners change their credentials immediately, apply updates to their operating systems, and implement several strategies to prevent Snake’s persistence and hiding techniques.

In conclusion, the advisory aims to raise awareness of Snake malware’s risks and suggested mitigations for protection. While the Snake threat may have been neutralized temporarily, security experts warn that it is only a matter of time before more advanced malware emerges to take its place. Organizations, particularly those that manage critical infrastructure, therefore need to remain vigilant, implement best cybersecurity practices, and stay abreast of evolving cyber threats.

Lidhja e burimit