FBI nukes Russian Snake data theft malware with self-destruct command

Cybersecurity and intelligence agencies from all Five Eyes member nations took down the infrastructure used by the Snake cyber-espionage malware operated by Russia's Federal Security Service (FSB).

The development of the Snake malware started under the name "Uroburos" in late 2003, while the first versions of the implant were seemingly finalized by early 2004, with Russian state hackers deploying the malware in attacks immediately after.

The malware is linked to a unit within Center 16 of the FSB, the notorious Russian Turla hacking group, and was disrupted following a coordinated effort named Operation MEDUSA.

"The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies," said Attorney General Garland in a press release issued today.

According to court documents unsealed today (affidavit and search warrant), the U.S. government kept a close eye on Snake and Snake-linked malware tools for almost 20 years while also monitoring Russian Turla hackers using Snake from an FSB facility in Ryazan, Russia.

Described as "the FSB's most sophisticated long-term cyberespionage malware implant," Snake allowed its operators to remotely install malware on compromised devices, steal sensitive documents and information (e.g., authentication credentials), maintain persistence, and hide their malicious activities when using this "covert peer-to-peer network."

Five Eyes cybersecurity and intel agencies have also issued a joint advisory with details to help defenders detect and remove Snake malware on their networks.

Disabled via self-destruct command

The FBI took down all infected devices within the United States while, outside the U.S., the agency "is engaging with local authorities to provide both notice of Snake infections within those authorities' countries and remediation guidance."

"As described in court documents, through analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications," the U.S. Justice Department said.

"With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool, named PERSEUS, that establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer."

After decrypting network traffic between NATO and U.S. devices compromised by Snake malware, the FBI also found that Turla operators used the implant in attempts to steal what looked like confidential United Nations and NATO documents.

The search warrant obtained by the FBI allowed the agency to access the infected devices, overwrite the malware without affecting legitimate apps and files, and terminate the malware running on the compromised computers.

The FBI is now notifying all owners or operators of computers remotely accessed to remove the Snake malware and informing them that they might have to remove other malicious tools or malware planted by the attackers, including keyloggers that Turla often also deployed on infected systems.

Until it was disrupted, the Snake malware infrastructure, which has been detected in more than 50 countries, has been used by the Russian FSB hackers to gather and steal sensitive data from a wide range of targets, including government networks, research organizations, and journalists.

Turla (also tracked as Waterbug and Venomous Bear) has been orchestrating cyber-espionage campaigns targeting governments, embassies, and research facilities worldwide since at least 1996.

They are the suspects behind attacks targeting the U.S. Central Command, the Pentagon and NASA, several Eastern European Ministries of Foreign Affairs, as well as the Finnish Foreign Ministry.

The FBI dismantled the Snake network with a court-approved operation dubbed MEDUSA, the Justice Department said.

The operation disabled the Snake malware on compromised computers with an FBI-created tool named PERSEUS.

The bureau is working with authorities in other countries to notify other victims of Snake infections, officials said.

The FBI has been tracking Snake and related malware tools for nearly two decades, developing the ability to decrypt and decode Snake communications.

Deputy Attorney General Lisa Monaco said the takedown "has neutralized one of Russia's most sophisticated cyber-espionage tools, used for two decades to advance Russia's authoritarian objectives."

"By combining this action with the release of the information victims need to protect themselves, the Justice Department continues to put victims at the center of our cybercrime work and take the fight to malicious cyber actors," Monaco said in a statement.

Court documents released on Tuesday detailed how the FSB unit, known as Turla, deployed Snake from a known FSB facility in Ryazan, Russia, to conduct daily espionage operations.

The unit has repeatedly upgraded and revised the malware to ensure it remains "Turla's most sophisticated long-term cyberespionage malware implant," the Justice Department said.

Senior law enforcement officials said FBI technical experts had identified and disabled malware wielded by Russia's FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russia's leading cyber spying programs.

"We assess this as being their premier espionage tool," one of the U.S. officials told journalists ahead of the release. He said Washington hoped the operation would "eradicate it from the virtual battlefield."

The official said the FSB spies behind the malware, known as Snake, are part of a notorious hacking group tracked by the private sector and known as "Turla."

The group has been active for two decades against a variety of NATO-aligned targets, U.S. government agencies and technology companies, a senior FBI official said.

Russian diplomats did not immediately return a message seeking comment. Moscow routinely denies carrying out cyberespionage operations.

U.S. officials spoke to journalists on Tuesday ahead of the news release on condition that they not be named. Similar announcements, revealing the FSB cyber disruption effort, were made by security agencies in the UK, Canada, Australia and New Zealand.

Turla is widely considered one of the most sophisticated hacking teams studied by the security research community.

"They have persisted in the shadows by focusing on stealth and operational security," said John Hultquist, vice president of threat analysis at U.S. cybersecurity company Mandiant. "They are one of the hardest targets we have."

The U.S. government dubbed the disruption of Turla's Snake malware "Operation Medusa." The FBI and its partners identified where the hacking tool had been deployed across the internet and built a unique software "payload" to disrupt the hackers' infrastructure.

The FBI relied on existing search warrant authorities to remotely access the Russian malicious program within victim networks in the U.S. and sever its connections.

The senior FBI official said the Bureau's tool was designed only to communicate with the Russian spy program. "It speaks Snake, and communicates with Snake's custom protocols" without accessing the victim's personal files, the official said.