Snake, considered the most “sophisticated cyber espionage tool designed”, has been disrupted in Operation Medusa, led by the FBI and the US Attorney’s Office for the Eastern District of New York.
The malware has been used by Center 16 of the Federal Security Service of the Russian Federation (FSB) to steal sensitive information and documents from specially selected targets. The Snake infrastructure has been identified in more than 50 countries, and the targets include government networks, research facilities and journalists.
“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes. Meeting the challenge of cyberespionage requires creativity and a willingness to use all lawful means to protect our nation and our allies,” said US Attorney Breon Peace for the Eastern District of New York.
“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies – that ends today,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
Peer-to-peer network
Operation Medusa, which was court-authorized, interrupted a global peer-to-peer network of computers that were compromised by the malware – which the unit ‘Turla’ within Center 16 of the FSB was behind.
Snake has been on the US Government’s radar for nearly 20 years, and they have investigated it and related malware tools, as well as monitored FSB officers that were assigned to the Turla unit.
“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes.”
Breon Peace, US Attorney for the Eastern District of New York
Using the Snake malware, the Turla operators could remotely deploy more malware tools to machines and steal sensitive information and documents from the victims.
Even though the industry has been aware of Snake for a long time, Turla has ensured that the malware continuously evolved by applying numerous upgrades and revisions, which made it hard to disrupt. Snake was disabled on compromised computers by ‘Perseus’, an FBI-created tool, which made Snake overwrite its own vital components.
“Through a high-tech operation that turned Russian malware against itself, US law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” said Deputy Attorney General Lisa O Monaco.
Joint advisory
To take further action in connection with Snake, the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the US Cyber Command Cyber National Mission Force, and six other intelligence and cybersecurity agencies have issued a joint cybersecurity advisory. The report includes detailed technical information about the Snake malware, and how to detect and remove it from networks.
“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies – that ends today.”
Matthew G. Olsen, Assistant Attorney General of the Justice Department’s National Security Division
Even though the malware has now been removed from compromised computes, the group advises that victims should take additional steps to prevent further damage, particularly if hackers now move to use stolen credentials to re-access computers and accounts. The DOJ also encourages network defenders to review the joint advisory for additional guidance on detection and patching.
“We strongly encourage organisations to read the technical information about Snake malware and implement the mitigations to help detect and defend against this advanced threat,” said Paul Chichester, NCSC Director of Operations.