Federal law enforcement has crashed a network of compromised computers an elite Russian espionage group used for two decades to spy on some 50 countries and exfiltrate sensitive information.
Unit 16 of Russia’s Federal Security Service, or FSB, referred to as Turla, apparently used versions of the Snake malware to set up a peer-to-peer network of hundreds of infected computers to strip away material belonging to U.S. allies in the North American Treaty Organization, journalists and other targets of interests to the Kremlin.
MEDUSA Disables Turla’s Snake Malware
The counter operation, code-named MEDUSA, disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which has the capability to decrypt and decode Snake communications. PERSEUS established communication sessions with the Snake malware on a computer and issued commands that caused the malicious code to disable itself without affecting the host computer or its legitimate applications.
The FBI executed the MEDUSA operation within the U.S., backed by a search warrant issued from the Eastern District of New York that authorized remote access to the compromised computers. Outside of the U.S., the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance.
Deputy Attorney General Lisa O. Monaco explained how the operation turned Russian malware on itself:
“U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives. By combining this action with the release of the information victims need to protect themselves, the Justice Department continues to put victims at the center of our cybercrime work and take the fight to malicious cyber actors.”
Turla Evaded Detection for 20 Years
In the past 20 years, Turla has evaded detection by applying upgrades and revisions to the Snake malware and selectively deploying it to ensure that it remained the spy group’s most sophisticated long-term cyber espionage malware implant. The Snake implant has the ability to persist on a compromised computer’s system indefinitely, typically undetected by the machine’s owner or authorized users, despite a victim’s efforts to remediate the infection, officials said.
The FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and six other intelligence and cybersecurity agencies from each of the Five Eyes member nations issued a joint cybersecurity advisory. The advisory provided detailed technical information about the Snake malware, which will allow cybersecurity professionals to detect and remediate Snake malware infections on their networks.
Officials said that the Snake disablement operation did not patch any vulnerabilities or search for or remove any additional malware or hacking tools.