FBI sabotages Russian "Snake" malware network

Published: 10 May 2023
Russian snake malware operation busted by the FBI
Shutterstock/Cybernews

The Federal Bureau of Investigation (FBI) has disrupted a sophisticated Russian spy hacking network the agency has been diligently tracking for over two decades.

The Russian spy operation is said to be responsible for stealing thousands of sensitive documents from hundreds of computer systems in at least 50 countries.

Many of the stolen files belong to high-profile targets, including US government agencies and technology companies, allied North Atlantic Treaty Organization (NATO) member governments, and certain journalists tracked by the Russian Federation.

ADVERTISEMENT

FBI officials said the notorious spy network, known by agents as Turla, is directly connected to a unit within the Federal Security Service of the Russian Federation (FSB).

"Turla has shown their skills and creativity over the years, and this should not be underestimated.” – Frank van Oeveren, Threat Intelligence & Security Research manager at Fox-IT.

The spy network has been active for two decades.

Turla is widely considered one of the most sophisticated hacking teams studied by the security research community, according to a US Department of Justice (DOJ) release announcing the takedown Tuesday.

“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies – that ends today,” said Assistant Attorney General Matthew G. Olsen of the DOJ’s National Security Division.

The Venomous Bear

Turla has targeted dozens of computers over the years with different versions of a specialized Russian malware, dubbed Snake, creating a global, peer-to-peer network of infected computers.

Unbeknownst to the victims, Turla would use the covert network to exfiltrate stolen documents through remote access servers.

ADVERTISEMENT

Intelligence insiders say the use of Snake malware is most likely linked to the Russian-based adversary Venomous Bear, a shadowy group highly suspected to operate as part of the FSB.

“Snake operations have been identified as supporting FSB’s Center 16 - a subdivision of the FSB responsible for the interception, decryption, and processing of electronic communications via cyber espionage,” said CrowdStrike head of intelligence Adam Meyers.

In fact, the backdoor malware has been associated with the FSB since the early 2000s, said Frank van Oeveren, Threat Intelligence & Security Research manager at NCC Group's Fox-IT.

“I'm surprised that the FSB was still using Snake until the takedown. The Snake backdoor is an old framework that was developed in 2003 and multiple times linked to the FSB by many security vendors," said Oeveren.

"Normally, you would expect the nation state actors would burn the framework and start developing something new," Oeveren said.

Russian Hackers in hoods
Image by BeeBright | Shutterstock

Meanwhile, according to Meyers, Venomous Bear, aka Turla, has been expanding its targets to encompass not only the US and NATO, but "Middle Eastern nations, particularly those seen as a threat to Russian-supported countries in the region."

Meyers said the group has also expanded past government and diplomatic-related organizations to include NATO-aligned militaries, defense contractors, and tech companies developing cryptographic hardware, providing telecommunications, or research and development.

Operation MEDUSA

To sabotage the Russian network, the FBI operation – code name MEDUSA – created its own hacking spy tool named Perseus to target an undisclosed number of American computers.

ADVERTISEMENT

Once inside the compromised computers, Perseus was able to immobilize the Snake malware by issuing commands that caused the malware to overwrite its own vital components, FBI officials said.

“Operation MEDUSA, and others like it, highlight the importance of public/private collaboration and threat intelligence information sharing in the global effort to take down sophisticated cyber adversarial groups,” said Meyers.

The FBI was granted remote access to the infected computers though a court-ordered search warrant issued by the Eastern District Court of New York.

“The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovate use of legal authorities, and working with international allies and private sector partners to amplify our collective impact,” Attorney General Olsen said.

Snake malware is known to be extremely resistant on particular computers, despite victims efforts to remove it, say experts.

“Unless disrupted, the Snake implant persists on a compromised computer’s system indefinitely, typically undetected by the machine’s owner or authorized users,” the DOJ said.

Oeveren agrees with the DOJ assessment and described a cyber incident dealt with a few years back.

"We worked on an incident response case where the Snake malware was observed. During this case, Turla stayed undetected for a few years and was only found by pure luck," said Oeveren.

"Turla has shown their skills and creativity over the years, and this should not be underestimated,” added Oeveren, “Turla will most likely continue with a different framework, but it's always a surprise what the group will do.”

Russian representatives have not yet commented on the FBI sabotage, but routinely denies any involvement in cyber espionage.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT