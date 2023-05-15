On May 9, the Federal Bureau of Investigation (FBI) sabotaged a suite of malicious software used by Russian spies. According to senior American law enforcement officials, FBI technical experts identified and disabled malware wielded by Russia's Federal Security Service (FSB) against an undisclosed number of American computers. The officials said that FSB officials behind the malware- known as Snake, were part of a notorious hacking group tracked by the private sector and known as "Turla."

This sabotage by the FBI provided a glimpse of the digital tug-of-war between the United States and Russia. What is Snake? According to the Cybersecurity and Infrastructure Security Agency (CISA) on May 9, the Snake malware is considered the most sophisticated cyber espionage tool designed and used by Center 16 of FSB for long-term intelligence collection on sensitive targets. The CISA said that to carry out operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers around the world.

"Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts," the CISA added.

The agency said that it identified the Snake infrastructure in more than 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia itself.

The FSB started developing Snake as “Uroburos” in late 2003. The development of the initial versions of the implant appeared to be completed around early 2004, with cyber operations first conducted using the implant shortly thereafter. The malware's targets Though Snake has used infrastructure across all industries, its targeting is "purposeful and tactical in nature," according to the CISA. The FSB used Snake to collect sensitive intelligence from high-priority targets such as government networks, journalists and research facilities.

Sharing an example, the CISA said that FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) nation.

Within the US, the Russian security agency victimised industries including education, small business and media organisations. Critical infrastructure sectors in the US including government facilities were also targeted. The people behind Snake As mentioned earlier, FSB officials behind Snake were part of the hacking group called Turla. On May 9, the US Justice Department said in a statement that for nearly 20 years, "this unit, referred to in court documents as Turla, used versions of Snake to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation."

After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the US and around the world. Operation MEDUSA The FBI-led Operation MEDUSA was behind the sabotage of the Snake malware. The US Justice Department said in its statement that MEDUSA disabled the malware on compromised computers through the use of an FBI-created tool called PERSEUS, which issued commands that caused the Snake malware to overwrite its vital components.

"The FBI developed a tool named PERSEUS which establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer," the statement said.

The US had started investigating Snake and Snake-related malware tools for nearly two decades. "The US government has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia," the statement added.

“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” US Attorney General Merrick B. Garland said on the sabotage.

“We will continue to strengthen our collective defences against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies,” he added. A word of caution for victims The Justice Department pointed out that even though Operation MEDUSA disabled the Snake malware on compromised computers, victims should take additional steps to protect themselves from further harm.

"The operation to disable Snake did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on the victim," it said.

"Turla frequently deploys a “keylogger” with Snake that Turla can use to steal account authentication credentials, such as usernames and passwords, from legitimate users," the department added and cautioned victims about being aware that the Russian hacking group could use these stolen credentials to fraudulently re-access compromised computers and other accounts.

