Security agencies from five countries have issued a joint advisory revealing technical details about a sophisticated espionage tool used by Russian cyber actors against their targets. \u201cSnake malware\u201d and its variants have been a core component in Russian espionage operations carried out by Center 16 of Russia\u2019s Federal Security Service (FSB) for nearly two decades, according to the security notice.Identified in infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, Snake\u2019s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets such as government networks, research facilities, and journalists.The advisory was published by the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), US Cyber National Mission Force (CNMF), the UK National Cyber Security Center (NCSC), the Canadian Centre for Cyber Security (CCCS), the Canadian Communications Security Establishment (CSE), the Australian Cyber Security Centre (ACSC), and the New Zealand NCSC. It is designed to help organizations understand how Snake operates and provides suggested mitigations to help defend against the threat.The security notice comes in the wake of a separate warning from the UK NCSC outlining a new class of Russian cyber adversary threatening critical infrastructure.Operation MEDUSA neutralizes Snake malware campaignOn the same day the advisory was published, the US Justice Department announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by Snake malware. Operation MEDUSA disabled Snake malware on compromised computers using an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.\u201cToday\u2019s announcement demonstrates the FBI\u2019s willingness and ability to pair our authorities and technical capabilities with those of our global partners to disrupt malicious cyber actors,\u201d said assistant director Bryan Vorndran of the FBI\u2019s Cyber Division. \u201cWhen it comes to combating Russia\u2019s attempts to target the US and our allies using complex cyber tools, we will not waver in our work to dismantle those efforts.\u201dSnake malware\u2019s sophistication stems from three principal areasSnake is considered the most sophisticated cyber espionage tool in the FSB\u2019s arsenal, stemming from three principal areas, the advisory read. \u201cFirst, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake\u2019s internal technical architecture allows for easy incorporation of new or replacement components. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.\u201dThe FSB has also implemented new techniques to help Snake evade detection, with the effectiveness of the cyber espionage implant depending on its long-term stealth to provide consistent access to important intelligence. \u201cThe uniquely sophisticated aspects of Snake represent significant effort by the FSB over many years to enable this type of covert access.\u201dSnake often deployed to external-facing infrastructure nodesSnake is typically deployed to external-facing infrastructure nodes on a network, and from there uses other tools and tactics, techniques, and procedures (TTPs) on the internal network to conduct additional exploitation operations, the advisory continued. \u201cUpon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. A wide array of mechanisms has been employed to gather user and administrator credentials in order to expand laterally across the network, to include keyloggers, network sniffers, and open-source tools.\u201dOnce actors map out a network and obtain administrator credentials for various domains, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. \u201cFSB operators sometimes deploy a small remote reverse shell along with Snake to enable interactive operations.\u201d This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector, or to maintain a minimal presence in a network and avoid detection while moving laterally.Snake uses two main methods for communication and command execution, namely passive and active. Snake operators generally employ active operations to communicate with hop points within Snake\u2019s infrastructure, while Snake\u2019s endpoints tend to solely operate using the passive method.Methods for detecting Snake malwareThe advisory outlined several detection methodologies available for Snake, outlining their advantages and disadvantages. These are:Network-based detection: Network intrusion detection systems (NIDS) can feasibly identify some of the more recent variants of Snake and its custom network protocols. Advantages include high-confidence, large-scale (network-wide) detection of custom Snake communication protocols. Disadvantages include low visibility of Snake implant operations and encrypted data in transit. There is some potential for false positives in the Snake HTTP, HTTP2, and TCP signatures. Snake operators can easily change network-based signatures.Host-based detection: Advantages include high confidence based on totality of positive hits for host-based artifacts. Disadvantages include that many of the artifacts on the host are easily shifted to exist in a different location or with a different name. As the files are fully encrypted, accurately identifying these files is difficult.Memory analysis: Advantages include high confidence as memory provides the greatest level of visibility into Snake\u2019s behaviors and artifacts. Disadvantages include potential impact on system stability, difficult scalability.Preventing Snake\u2019s persistence and hiding techniquesThe advisory also described strategies for preventing Snake\u2019s persistence and hiding techniques. The first is for system owners believed to be compromised by Snake to change their credentials immediately (from a non-compromised system) and to not use any type of passwords similar to those used before. \u201cSnake employs a keylogger functionality that routinely returns logs back to FSB operators. Changing passwords and usernames to values which cannot be brute-forced or guessed based on old passwords is recommended.\u201dSystem owners are also advised to apply updates to their operating systems, as modern versions of Windows, Linux, and MacOS make it much harder for adversaries to operate in the kernel space. \u201cThis will make it much harder for FSB actors to load Snake\u2019s kernel driver on the target system.\u201dIf system owners receive detection signatures of Snake implant activity or have other indicators of compromise that are associated with FSB actors using Snake, the impacted organization should immediately initiate their documented incident response plan, the notice added. This should include separating user and privileged accounts to make it harder for FSB actors to gain access to administrator credentials, employing network segmentation to deny all connections by default unless explicitly required for specific system functionality, and implementing phishing resistant multifactor authentication (MFA) to add an additional layer of security even when account credentials are compromised.