Nine cyber security agencies in five countries including Australia have issued a warning against an implant they’ve dubbed Snake, and attributed to Russia’s FSB security service.
It’s not the first time Snake has made the news: the malware has been known to threat-hunters since at least 2014, when Kaspersky discussed it at Black Hat.
In a post detailing the espionage tool, America’s Cybersecurity and Infrastructure Security Agency (CISA) laid bare Snake’s international peer-to-peer network of infected computers, and provided a detailed description of its architecture.
“Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets,” CISA said.
“Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.”
Infrastructure has been found in 50 countries in North America, South America, Europe, Africa, Asia, and Australia, as well as Russia.
CISA identified government networks, research facilities and journalists as targets, and Snake has been used to “exfiltrate sensitive international relations documents, as well as other diplomatic communications” from a NATO member.
Victim organisations in North America included education, media organisations, and a range of critical infrastructure operators.
Calling Snake the “most sophisticated cyber espionage tool in the FSB’s arsenal”, CISA said it has a “rare level of stealth” both in infected hosts and network communications, with an internal structure designed for easy incorporation of new or replacement components”.
It’s a cross-platform system, CISA said, with variants for Windows, macOS and Linux.
The agencies behind the advisory are the FBI, National Security Agency, CISA and the Cyber National Mission Force from the USA; the UK’s National Cyber Security Centre; Canada’s Centre for Cyber Security and Communications Security Establishment; the Australian Cyber Security Centre; and New Zealand’s National Cyber Security Centre.