Five Eyes countries disable Russia’s Snake malware network

Cybersecurity agencies from the Five Eyes intelligence co-operative — including Canada and the U.S. — have disrupted a global peer-to-peer network of computers compromised by the Russian-created Snake malware.

In a statement Tuesday, the countries said Snake operations are blamed on a unit within Center 16 of Russia’s Federal Security Service (FSB).

“For nearly 20 years, this unit, referred to in court documents as “Turla,” has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation,” the U.S. Justice Department said.  “After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world.”

In a joint operation called Medusa, the partners disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.

Within the United States, the operation was executed by the FBI under a warrant issued by a United States judge, which authorized remote access to the compromised computers.

The international coalition identified Snake malware infrastructure across North America, including in the United States, South America, Europe, Africa, Asia, and Australia, and even Russia.

FSB actors used Snake to access and exfiltrate sensitive international relations documents, the coalition said, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.

“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes,” said United States Attorney Peace. “Meeting the challenge of cyberespionage requires creativity and a willingness to use all lawful means to protect our nation and our allies. The court-authorized remote search and remediation announced today demonstrates my office and our partners’ commitment to using all of the tools at our disposal to protect the American people.”

Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with indicators of compromise.

Although Operation Medusa disabled the Snake malware on compromised computers,  the advisory says victims should take additional steps to protect themselves from further harm.  The operation to disable Snake didn’t patch any vulnerabilities, or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks.

Turla frequently deploys a keylogger with Snake to steal usernames and passwords, the advisory also notes.

In a statement, security provider CrowdStrike said Operation Medusa highlights the importance of public/private collaboration and threat intelligence information sharing in the global effort to take down sophisticated cyber adversarial groups.

“This represents a historic blow to the Russian cyberespionage apparatus,” said Tom Kellermann, SVP of cyber strategy at Contrast Security. The Justice department has taken the gloves off and this disruption serves as a harbinger of more aggressive actions to come.”

The FSB began developing Snake as ‘Uroburos’ in late 2003, said the CISA. Development of the initial versions of the implant appeared to be completed around early 2004, with cyber operations first conducted using the implant shortly thereafter. The name Uroburos is appropriate, said the CISA, as the FSB cycled it through nearly constant stages of upgrade and redevelopment, even after public disclosures, instead of abandoning it. The name appears throughout early versions of the code, and the FSB developers also left other unique strings, including Ur0bUr()sGoTyOu#, “which have publicly come back to haunt them.”

Daily operations using Snake have been carried out from an FSB facility in Ryazan, Russia, says the CISA, with an increase in Snake activity during FSB working hours in Ryazan, approximately 7:00 AM to 8:00 PM, Moscow Standard Time (GMT+3). The main developers were Ryazan-based FSB officers known by monikers included in the code of some versions of Snake. In addition to developing Snake, Ryazan-based FSB officers used it to conduct worldwide operations; these operations were different from others launched from Moscow or other FSB sites based on infrastructure and techniques. While the development and re-tooling of Snake has historically been done by Ryazan-based FSB officers, the CISA said Snake operations were also launched from an FSB Center 16-occupied building in Moscow.