The FBI tracked the cyber-espionage malware for nearly two decades
The US government said it disrupted a long-running Russian cyber-espionage campaign that stole sensitive information from the US and NATO governments, an operation that has taken the FBI nearly 20 years.
The Ministry of Justice announced on Tuesday that an FBI operation successfully dismantled the ‘Snake’ malware network used by Turla, a notorious hacking group long affiliated with Russia’s Federal Security Service (FSB). Turla had previously been linked to a cyber attack targeting US Central Command, NASA and the Pentagon.
US officials describe Snake as the “most sophisticated cyber-espionage tool in the FSB’s arsenal.”
The DOJ and its global partners identified the Snake malware in hundreds of computer systems in at least 50 countries. Prosecutors said the Russian spies behind the Turla group used the malware to attack NATO member states — and other targets of the Russian government — as far back as 2004.
In the United States, the FSB used its vast network of Snake-infected computers to target industries such as education, small businesses and media organizations, along with critical infrastructure sectors including government facilities, financial services, manufacturing and communications. The FBI said it obtained information indicating that Turla had also used Snake malware to target the personal computer of a journalist at an unnamed US news media company who had reported on the Russian government.
Prosecutors added that Snake persists “indefinitely” on a compromised computer system, despite attempts by the victim to neutralize the infection.
After stealing sensitive documents, Turla exfiltrated this information through a secret peer-to-peer network of Snake-compromised computers in the US and other countries, the DOJ said, making the network’s presence more difficult to detect.
From Brooklyn to Moscow
According to the FBI statementUS authorities monitored the spread of the malware for years, along with the Turla hackers who operated Snake from FSB facilities in Moscow and the nearby city of Ryazan.
The FBI said it developed a tool called “Perseus” — the Greek monster-slaying hero — that allowed its agents to identify network traffic that the Snake malware had tried to cover up.
Between 2016 and 2022, FBI officials identified the IP addresses of eight compromised computers in the US, in California, Georgia, Connecticut, New York, Oregon, South Carolina and Maryland. (The FBI said it also warned local authorities to remove Snake infections on compromised machines outside the United States.)
With the victim’s consent, the FBI remotely accessed some of the compromised machines and monitored each for “years at a time”. This allowed the FBI to identify other victims in the Snake network and develop capabilities to impersonate the Turla operators and issue orders to the Snake malware as if the FBI agents were the Russian hackers.
Then this week, after obtaining a search warrant from a federal judge in Brooklyn, New York, the FBI got the go-ahead to massively order the network to shut down.
The FBI used its Perseus tool to mimic Snake’s built-in commands, which when sent by Perseus from an FBI computer, “terminate the Snake application and additionally permanently disable the Snake malware by destroying vital components of the Snake implant without deleting all legitimate applications or files on affected computers.”
The affidavit said the FBI used Perseus to trick the Snake malware into deleting itself on the computers it infected. The FBI says it believes this action has permanently disabled Russian-controlled malware on compromised machines and will neutralize the Russian government’s ability to further access the Snake malware currently installed on the compromised computers .
The FBI warned that if it had not taken action to dismantle the malware network, the Russian hackers could have learned “how the FBI and other governments were able to disable the Snake malware and harden Snake’s defenses.”
While the FBI has disabled the Snake malware on compromised computers, the DOJ warned that the Russian hackers could still access compromised machines as the operation has not looked for additional malware or hacking tools that the hackers may have placed on the victim. networks. The FBI also warned that Turla regularly deploys a “keylogger” on victims’ computers to steal account authentication credentials, such as usernames and passwords, from legitimate users.
The US cybersecurity agency CISA launched a 48-page joint advice to help defenders detect and remove Snake malware on their networks.