The FBI has cut off a network of Kremlin-controlled computers used to spread the Snake malware which, according to the Feds, has been used by Russia’s FSB to steal sensitive documents from NATO members for almost two decades.
Turla, the FSB-backed cyberspy group, has used versions of the Snake malware to steal data from hundreds of computer systems belonging to governments, journalists, and other targets of interest in at least 50 countries, according to the US Justice Department. After identifying and stealing sensitive files on victims’ devices, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the US.
In effect, Snake can infect Windows, Linux, and macOS systems, and use those network nodes to pass data stolen from victims along to the software nasty’s Russian spymasters. The NSA published a technical overview of the code here and here [PDF].
“To obfuscate communications between the Snake-compromised computers that comprise the Snake network, the nature of the data stolen by the FSB and the identity of the FSB as the attacker, communications between Snake implants on compromised computers are encrypted, fragmented, and sent using customized methodologies built atop common network protocols,” according to US prosecutors in court documents [PDF].
“As a result, Snake communications are difficult to distinguish from legitimate victim network traffic, and the data payloads are impossible to decrypt and interpret without software specifically designed to process the implant’s custom protocols,” the affidavit continues.
As part of the so-called Operation Medusa, announced today, the Feds obtained a warrant [PDF] to remotely access eight computers in the US that Snake had infected, and then overwrite and terminate the malware running on those machines.
“Through a high-tech operation that turned Russian malware against itself, US law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” Deputy Attorney General Lisa Monaco said in a statement.
According to the court documents, the FBI had been monitoring the malware’s activity on infected computers in America — with their owners’ permission, we’re told. Agents were able to study the code and develop a technique that mimics Snake’s session authentication protocol to trick another computer on the network into communicating with it.
The FBI decided to name this tool Perseus, and after it establishes communication sessions with the Snake malware on a device, issues commands that causes the malicious implant to disable itself by overwriting key code components, without affecting the host computer or any legitimate applications.
As many of the malware’s victims are located outside the US, the FBI says it’s engaging with local authorities to provide notice of Snake infections and offer remediation guidance.
Operation Medusa is the latest in a series of high-profile actions this month that Uncle Sam and friends have taken in the past few months to disrupt cybercrime.
Yesterday, the DOJ said it has seized 13 internet domains selling distributed-denial-of-service attacks.
And earlier this month, US and European law enforcement arrested 288 people who were allegedly selling opioids on the now-shuttered Monopoly Market dark web drug trafficking marketplace. ®