NSA and Allies Uncover Russian Snake Malware Network in 50+ Countries

Written by

The National Security Agency (NSA) and various international partner agencies have discovered infrastructure connected with the sophisticated Russian cyber-espionage tool Snake in over 50 countries worldwide.

Several intelligence agencies, including the NSA, FBI, CISA, CNMF, CCCS, NCSC-UK, ACSC and NCSC-NZ, have attributed the Snake operations to a specific unit within Russia’s Federal Security Service (FSB) Center 16. 

Cyber-criminals reportedly used Snake to retrieve and remove confidential documents related to international relations and diplomatic communications. They obtained this information from a victim located in a NATO country.

Read more on Snake: Are We Losing the War Against Ransomware?

The Snake malware infrastructure has been discovered by the international coalition on multiple continents, including North America, South America, Europe, Africa, Asia and Australia, with involvement from the United States and Russia.

According to an advisory published by the agencies on Tuesday, the FSB targeted various industries in the US, including education, small businesses, media, local government, finance, manufacturing and telecommunications. The Snake malware is installed on external infrastructure nodes for further exploitation.

“Russian government actors have used this tool for years for intelligence collection,” commented Rob Joyce, NSA director of cybersecurity. “Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware globally.”

Tom Kellermann, SVP of cyber strategy at Contrast Security, called the operation a “historic blow” to the Russian cyber-espionage apparatus.

“The Justice Department has taken the gloves off, and this disruption serves as a harbinger of more aggressive actions to come,” Kellermann added.

However, Roger Grimes, a data-driven defense evangelist at KnowBe4, expressed a milder opinion on the discovery.

“Over the last decade or so, law enforcement has done similar bot takedowns by infiltrating the network or command and control servers. It’s a great strategy, although in some cases it resulted in only a limited, temporary disruption until the bad guys were able to set up new, different botnets.”

Nevertheless, these disruptions have sometimes led to the complete dismantling of botnets. This has effectively crippled the malicious infrastructure and permanently stopped the perpetrators from creating new ones. This seemed to be the case, for instance, with the takedown of the Hive ransomware group in January.

What’s hot on Infosecurity Magazine?