A coalition of U.S. security agencies dismantled Russia’s global Snake Malware network, considered “the most sophisticated cyber espionage tool designed and used by Russia’s Federal Security Service [FSB] for long-term intelligence gathering on sensitive targets,” the U.S. National Security Agency (NSA) said in May.
“This network, supported by Russian intelligence, was responsible for highly sophisticated cyberattacks targeting government institutions, embassies, private companies, and media outlets around the world,” Raúl A. Álvarez, an Intelligence expert and professor of Cybersecurity at Mexico’s Anáhuac University, told Diálogo on July 4. “Its main objective was the extraction of confidential information for political, economic, and military advantage.”
The Snake malware accessed information through a covert network of numerous infected computers. To stop its activity, U.S. experts disabled the malware with Perseis, a special FBI tool, which managed to issue “commands to overwrite its own vital components,” Spanish news site 20minutos reported.
“The FSB used versions of the Snake malware for nearly 20 years to steal sensitive information from hundreds of computer systems in at least 50 countries, including NATO [North Atlantic Treaty Organization] governments,” U.S. Assistant Attorney General for National Security Matthew G. Olsen said on June 20. “Through innovative use of our Rule 41 warrant authority [allowing remote access to search electronic storage media], as well as collaboration with private sector partners and numerous foreign governments, the Justice Department disabled one of the FSB’s most sensitive and complex espionage tools.”
“The dismantling of Snake is vitally important for several reasons: It sends a clear message that these activities will not be tolerated, and concrete steps are taken to curb their advance,” Álvarez said. “By eliminating such a significant threat, it reduces the chances of sensitive data falling into the wrong hands.”
In a lengthy report, security agencies rated Snake based on three characteristics. First, Snake employs means to achieve a rare level of stealth in the way it operates; second, the internal technical architecture allows for easy incorporation of new or replacement components; and third, it demonstrates careful design and implementation of software engineering and the implant contains surprisingly few bugs given its complexity.
“These types of groups manage APTs [Advanced Persistent Threat]; that is, they have the ability to attack in an advanced and continuous manner, which could have an impact as an economic destabilizer because of the type of targets they have,” Veronica Becerra, co-founder of the Mexican cybersecurity firm Offensive Hacking & Security Networks, told Diálogo on June 29. “These types of cybercriminal groups target critical infrastructures, such as the energy or health sector, among others. An attack on the healthcare sector, for example, could even claim lives. Unfortunately, there have already been some cases.”
Snake infrastructure has been identified in more than 50 countries in the Americas, Europe, Africa, Asia, and Australia, including the United States and Russia itself. Snake can be installed in any industry, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) indicated.
“As an example, FSB actors used Snake to access and extract confidential international relations documents, as well as other diplomatic communications from a victim in a NATO country,” CISA said. “Within the United States, the FSB victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.”
“Federal cybersecurity agencies from [intelligence alliance] Five Eyes member countries [Canada, Australia, New Zealand, the United Kingdom, and the United States] issued a joint security advisory with detailed technical information about the Snake malware, to prevent infection in networks,” 20minutos reported.
According to Fortinet’s Global Ransomware Report 2023, the dismantling of Snake was critical for Latin America as 71 percent of the organizations, businesses, or government entities that experienced a ransomware incident paid at least a portion of the ransom demanded.
“However, victims must mitigate further damage to compromised computers because Snake’s takedown ‘did not patch any vulnerabilities and also did not seek out or remove any additional malware or hacking tools,’” 20minutos concluded.