The Department of Justice (DoJ) announced the official disruption of a sophisticated Russian spy tool on Tuesday – noting that after 20 years of stealing sensitive documents from hundreds of computer systems in 50 NATO countries, they were able to finally dismantle “Snake.”
According to the May 9 press release, the court ordered-operation – code-named MEDUSA – disrupted a global peer-to-peer network of computers compromised by the Snake malware that the DoJ attributes to the “Turla” unit within the Federal Security Service of the Russian Federation.
“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Attorney General Merrick Garland. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”
Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool, which issued commands that caused the Snake malware to overwrite its own vital components, DoJ officials said.
Russian spies did not use Snake to stage physical attacks, but the malware gave Russia clandestine access to computers of NATO governments, journalists, and other targets of interest, allowing those devices to communicate covertly among each other.
The DoJ has been investigating Snake for nearly 20 years, officials said. Turla has applied numerous upgrades and revisions to ensure that Snake remains the most sophisticated long-term cyberespionage malware implant.
Snake provides its Turla operators the ability to remotely deploy selected malware tools to extend Snake’s functionality to identify and steal sensitive information and documents. Most importantly, the DoJ said the worldwide collection of Snake-compromised computers acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper detection, monitoring, and collection efforts by intelligence services.
Through analysis of the Snake malware, the FBI developed the capability to decrypt and decode Snake communications. The agency’s tool – dubbed PERSEUS – establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer.
“When it comes to combating Russia’s attempts to target the United States and our allies using complex cyber tools, we will not waver in our work to dismantle those efforts,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “When it comes to any nation state engaged in cyber intrusions which put our national security at risk, the FBI will leverage all tools available to impose cost on those actors and to protect the American people.”
Unless disrupted, the Snake implant persists on a compromised computer’s system indefinitely, typically undetected by the machine’s owner or authorized users, DoJ officials warned.
Although Operation MEDUSA disabled the Snake malware on compromised computers, victims should take additional steps to protect themselves from further harm. Ten global intelligence agencies issued a joint cybersecurity advisory to help victims detect and remediate a Snake compromise.