DOJ executes court-authorized disruption of Snake malware network controlled by Russia’s FSB

The U.S. Justice Department announced the completion of a court-authorized operation, codenamed ‘Medusa’ to disrupt a global peer-to-peer (P2P) network of computers compromised by sophisticated malware called ‘Snake.’ The U.S. Government attributes it to a unit within Center 16 of the Federal Security Service of the Russian Federal Security Service (FSB).  

Merrick B. Garland, U.S. Attorney General; Breon Peace, U.S. Attorney for the Eastern District of New York; Lisa O. Monaco, Deputy Attorney General of the Justice Department; and Michael J. Driscoll, Assistant Director-in-Charge, FBI, New York Field Office, announced the operation for the Justice Department.

“Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components,” the Justice Department said on Tuesday. “Within the United States, the operation was executed by the FBI pursuant to a search warrant issued by United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York, which authorized remote access to the compromised computers.” 

The New York court unsealed redacted versions of the affidavit submitted in support of the application for the search warrant and of the search warrant issued by the court. ​​The FBI is partnering with law enforcement agencies throughout the world to notify victims of Snake malware and advise them on ways to remove the malicious code from their systems.

For nearly 20 years, the unit, referred to in court documents as ‘Turla’ has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to the North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation. After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the U.S. and around the world.

The Snake cyber espionage tool has been designed and used by Center 16 of Russia’s FSB for long-term intelligence collection on sensitive targets. The FSB established a secret P2P network using many computers afflicted with the Snake malware to carry out its operations through the tool. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

Global cybersecurity agencies have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the U.S. and Russia itself. Although Snake leverages infrastructure across all industries, its targeting is purposeful and tactical. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.

The U.S. government has been investigating Snake and Snake-related malware tools for nearly 20 years. It has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia. 

“Although Snake has been the subject to several cybersecurity industry reports throughout its existence, Turla has applied numerous upgrades and revisions, and selectively deployed it, all to ensure that Snake remains the FSB’s most sophisticated long-term cyberespionage malware implant,” the Justice Department disclosed. “Unless disrupted, the Snake implant persists on a compromised computer’s system indefinitely, typically undetected by the machine’s owner or authorized users. The FBI has observed Snake persist on particular computers despite a victim’s efforts to remediate the compromise.”

The department revealed that the malware gave Turla operators the ability to remotely deploy selected malware tools to extend Snake’s functionality to identify and steal sensitive information and documents stored on a particular machine. “Most importantly, the worldwide collection of Snake-compromised computers acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper detection, monitoring, and collection efforts by Western and other signals intelligence services.” 

The Justice Department outlined that Turla uses the Snake network to route data exfiltrated from target systems through numerous relay nodes scattered around the world back to Turla operators in Russia. “For example, the FBI, its partners in the U.S. Intelligence Community, together with allied foreign governments, have monitored the FSB’s use of the Snake network to exfiltrate data from sensitive computer systems, including those operated by NATO member governments, by routing the transmission of these stolen data through unwitting Snake-compromised computers in the United States.”

According to court documents through analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications. “With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool, named PERSEUS, that establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer,” it added.

Although Operation Medusa disabled the Snake malware on compromised computers, victims should take additional steps to protect themselves from further harm, the Justice Department warned. “The operation to disable Snake did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks. The Department of Justice strongly encourages network defenders to review the Joint Advisory for further guidance on detection and patching,” it added. 

Moreover, as noted in court documents, Turla frequently deploys a ‘keylogger’ with Snake that Turla can use to steal account authentication credentials, such as usernames and passwords, from legitimate users, the department highlighted. “Victims should be aware that Turla could use these stolen credentials to fraudulently re-access compromised computers and other accounts.”

The FBI is providing notice of the court-authorized operation to all owners or operators of the computers remotely accessed according to the search warrant.

Furthermore, the criminal investigation into the FSB’s use of the Snake malware is being handled by the Office’s National Security and Cybercrime Section. Assistant United States Attorney Ian C. Richardson is in charge of the investigation, with assistance from the National Security Division’s Counterintelligence and Export Control Section.

The efforts to disrupt the Snake malware network were led by the FBI’s New York Field Office, the FBI’s Cyber Division, the U.S. Attorney’s Office for the Eastern District of New York, and the National Security Division’s Counterintelligence and Export Control Section.  Assistance was also provided by the Criminal Division’s Computer Crime and Intellectual Property Section.

Those efforts would not have been successful without the partnership of numerous private-sector entities, including those victims who allowed the FBI to monitor Snake communications on their systems.

Commenting on the Justice Department move, Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement that, “this represents a historic blow to the Russian cyberespionage apparatus. The Justice Department has taken the gloves off and this disruption serves as a harbinger of more aggressive actions to come.” 

On Tuesday, to empower network defenders worldwide, the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the U.S. Cyber Command Cyber National Mission Force, and six other intelligence and cybersecurity agencies from each of the Five Eyes member nations, issued a joint cybersecurity advisory with detailed technical information about the Snake malware that will allow cybersecurity professionals to detect and remediate Snake malware infections on their networks. 

The FBI and State Department are also providing additional information to local authorities in countries where computers infected with the Snake malware have been located.

Last month, the Health Information Sharing and Analysis Center (Health-ISAC) and Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra, said that are taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which has been used by cybercriminals to distribute malware, including ransomware. The U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure used by criminals to facilitate their attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.