An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

NEWS | May 9, 2023

U.S. and Allies Identify and Expose Russian Intelligence-Gathering “Snake” Malware

By Cyber National Mission Force Public Affairs

FORT GEORGE E. MEADE, Md. – U.S. Cyber Command’s Cyber National Mission Force, along with interagency and foreign partners, have identified infrastructure for Russian Federal Security Service (FSB)’s “Snake” malware in over 50 countries across North and South America, Europe, Africa, Asia, and Australia, to include the U.S., and within Russia.

The agencies, which include the National Security Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Canadian Cyber Security Centre (CCCS), Australian Cyber Security Centre (ACSC), and the UK’s National Cyber Security Centre (NCSC), publicly released the joint Cybersecurity Advisory, “Hunting Russian Intelligence “Snake” Malware”, May 9, to assist network defenders in detecting the malware and any associated activity.

This CSA provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications.

Used by Center 16 of the FSB, the Snake implant was designed for long-term intelligence collection on sensitive targets. Snake is considered the most sophisticated cyber espionage tool in the FSB’s arsenal, and variants of the malware tool have been used by the FSB for nearly 20 years.

Snake uses infrastructure across all industries; its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.

The Snake malware has been attributed to a known unit within Center 16 of the FSB, which broadly operates numerous elements of the Turla toolset. The unit has subunits spread throughout Russia in a reflection of historical KGB signals intelligence operations in the Soviet Union.

Read the full report here.