A two-decade old Russian cyber espionage network has finally been dismantled.
The US Justice Department yesterday (May 9) announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake.” The network was “up and active” until a day prior to the law enforcement action, a senior Federal Bureau of Investigation (FBI) official told reporters on a conference call.
The US government linked the massive undertaking to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB), which is referred to as “Turla” in court documents. This FSB unit began developing Snake as “Uroburos” in late 2003 and created the initial version by 2004.
In the ensuing two decades, Turla used versions of the Snake malware to steal sensitive documents. It would then exfiltrate the information through a covert network of unwitting Snake-compromised computers in the US and around the world. This peer-to-peer network utilized “customized communication protocols designed to hamper detection, monitoring, and collection efforts by Western and other signals intelligence services,” according to the Department of Justice (DOJ).
According to deputy attorney general Lisa O. Monaco, Snake is “one of Russia’s most sophisticated cyber-espionage tools.”
Russia’s snake malware, by the digits
20 years: How long the Russian unit Turla has used versions of the Snake malware to steal sensitive documents
More than 10 years: How long the US has been investigating Snake and Snake-related malware tools
Hundreds: Number of computer systems the data was stolen from
At least one: Journalist who covered Russia for a US news outlet whose personal computer was infected with the malware
At least 50: Countries targeted by Turla, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation
19: Internet protocol (IP) addresses associated with computers in the US that were infected that the FBI was able to identify, a senior FBI official told reporters. The official declined to say exactly how many US-based computers were compromised.
How did the US bring down Snake malware?
The FBI created a tool called PERSEUS—the mythological Greek hero who slayed snake-haired Medusa—that “issued commands that caused the Snake malware to overwrite its own vital components,” the DOJ said.
DOJ relied on a special seizure warrant, known as a Rule 41 procedure, to remove the Russian malware from affected US computers. The rule used for these kinds of coordinated takedowns has been used twice before—once in 2021 to disrupt the China-linked so-called Hafnium espionage campaign and to destroy Cyclops Blink, a botnet controlled by Russian intelligence.
One more thing: Is the Snake threat over for good?
Federal cybersecurity agencies from each of the Five Eyes member nations—Canada, Australia, New Zealand, the UK, and the US—issued a joint cybersecurity advisory with detailed technical information about the Snake malware that will allow cybersecurity professionals to detect and remediate Snake malware infections on their networks.
The FBI and US Department of State are also walking local authorities in countries where computers that have been targeted by the Snake malware have been located through remedial steps.
While Operation MEDUSA disabled the Snake malware on compromised computers, victims need to mitigate further harm. For instance, the operation “did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on the victim,” the DOJ said. For instance, Turla frequently deploys a “keylogger” with Snake that Turla can use to steal account authentication credentials, such as usernames and passwords, from legitimate users. These stolen credentials could be used to fraudulently re-access compromised computers and other accounts.
🗺️ Russia’s cyberwar against Ukraine is every bit as strategic as its ground offensive
✈️ Pro-Russian hackers have attacked Europe’s air-traffic agency