FBI Disarms Russian FSB 'Snake' Malware Network

Operation "Medusa" disabled Turla's Snake malware with an FBI-created tool called Perseus.

Code with FSB highlighted by magnifying glass
Source: Tiny Ivan via Alamy Stock Photo

The US Department of Justice announced it has pulled off a joint operation code-named Medusa that decimated a long-standing malware operation run by the Federal Security Service of the Russian Federation (FSB).

For nearly 20 years, threat group Turla, operating inside the FSB's notorious Center 16, used Snake malware to steal secrets from North Atlantic Treaty Organization (NATO)-member governments, according to an announcement from the US Attorney's Office in the Eastern District of New York.

Following compromise of target government systems, Turla would exfiltrate sensitive data through a network of compromised machines spread throughout the US and beyond to make detection harder, the DoJ said.

The FBI developed a tool named Perseus, which was able to successfully command components of the Snake malware to overwrite itself on compromised systems, the DoJ added.

"For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies — that ends today," Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said in the statement. "The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovate use of legal authorities, and working with international allies and private sector partners to amplify our collective impact.”

Court documents show US authorities have been investigating Snake malware for nearly all of its two decades of existence and had officers assigned to monitor Turla's activities from a "Known FSB facility in Ryzan, Russia," the Eastern District of New York announcement of operation Medusa added.

Turla's Long History

Likewise, threat hunters including Kevin Mandia have been tracking Turla's activities for many years, according John Hultquist, head of Mandiant intelligence analysis for Google Cloud.

"Turla is a Russian cyber-espionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry," Hultquist remarked in a statement provided to Dark Reading, citing Mandiant's CEO and founder Mandia. "They are focused on the classic targets of espionage — government, military, and the defense sector, and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention to themselves."

There have been occasional high-profile Turla operations, he noted "like the Agent.BTZ incident in the early 2000's, and the Moonlight Maze activity in the '90s, but these events are outweighed by a breadth of activity that goes unnoticed."

This year, Turla was observed by Mandiant using command-and-control servers from 10-year-old malware Andromeda to target and spy on Ukrainian systems.

And just last month, another threat group, Tomiris was observed by Kaspersky researchers using Turla's Snake malware.

Turla's Future

Under similar circumstances, nation-state threat actors like Turla would have burned the Snake backdoor framework long ago and innovated something new, Frank van Oeveren, manager of threat intelligence & security research at Fox-IT, part of NCC Group, said in a statement provided to Dark Reading.

“But Snake itself is sophisticated and well put together, which shows how much time and money was spent in developing the framework,” van Oeveren added. "We think it's quite likely Snake was detected in 50 countries – with NATO, their allies and other independent states, the list with possible targets gets quite extensive."

Turla, by van Oeveren's estimation, is creative and should not be underestimated, despite the Snake malware setback.

"Turla will most likely continue with a different framework," but it's always a surprise what the group will do," he said.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights