Operation MEDUSA: Feds cut off the head of Russia’s ‘Snake’ cyber espionage tool targeting US businesses, journalists

Listen to this article

By Steve Schuster
[email protected]

The National Security Agency (NSA) said Tuesday that they along with partner agencies have successfully identified infrastructure for Snake malware, which Russia’s Federal Security Service of the Russian Federation (FSB) has been using to victimize industries, including education institutions, small businesses and media organizations throughout the United States and in 50 other countries.

The Justice Department also announced Tuesday the completion of the court-authorized operation, code-named MEDUSA, to disrupt the global peer-to-peer network of computers compromised by sophisticated malware, called “Snake,” that the U.S. Government attributes to a unit within Center 16 of the FSB.

According to a report obtained by the Wisconsin Law Journal, the Snake implant is considered to be the most sophisticated cyber espionage tool designed and used by Russia for long-term intelligence collection on sensitive targets, including American businesses and journalists.

According to the search warrant application also obtained by the Wisconsin Law Journal, computers that were targeted were located in Portland, Oregon; Columbia, South Carolina; Georgia; Connecticut; and California.

For almost two decades, this unit, referred to in court documents as “Turla,” has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems.

After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world, according to Justice Department officials.

According to court documents, the FBI developed capabilities to decrypt and decode Snake communications to successfully defeat this cyber threat. Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.

The FBI executed the U.S. operation pursuant to a search warrant issued by U.S. Magistrate Judge Cheryl L. Pollak for the Eastern District of New York.

The warrant authorized remote access to the compromised computers. Tuesday, the court unsealed redacted versions of the affidavit submitted in support of the application for the search warrant, and of the search warrant issued by the court.

“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Attorney General Merrick Garland.

“We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies,” Garland added.

Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division said, “The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovative use of legal authorities, and working with international allies and private sector partners to amplify our collective impact.”

Assistant Director Bryan Vorndran of the FBI’s Cyber Division said Tuesday’s “announcement demonstrates the FBI’s willingness and ability to pair our authorities and technical capabilities with those of our global partners to disrupt malicious cyber actors.”

“When it comes to combating Russia’s attempts to target the United States and our allies using complex cyber tools, we will not waver in our work to dismantle those efforts. When it comes to any nation state engaged in cyber intrusions which put our national security at risk, the FBI will leverage all tools available to impose cost on those actors and to protect the American people.”

Snake remains Turla’s most sophisticated long-term cyberespionage malware implant, officials noted.

The FBI and U.S. Intelligence community, together with allied foreign governments, monitored the FSB’s use of the Snake network to exfiltrate data from sensitive computer systems, including those operated by NATO member governments, by routing the transmission of these stolen data through unwitting Snake-compromised computers in the United States, officials said.

According to officials, the FBI provided notice of the court-authorized operation to all owners or operators of the computers remotely accessed pursuant to the search warrant.

Although Operation MEDUSA disabled the Snake malware on compromised computers, victims should take additional steps to protect themselves from further harm, officials said.

“The operation to disable Snake did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim. The Department of Justice strongly encourages network defenders to review the Joint Advisory for further guidance on detection and patching,” officials said.

According to court documents, Turla frequently deployed a “keylogger,” which according to officials can be used to steal account authentication credentials, such as usernames and passwords, from legitimate users.

“Victims should be aware that Turla could use these stolen credentials to fraudulently re-access compromised computers and other accounts,” officials said.

The FBI’s New York Field Office led the operation to disrupt the Snake malware network along with FBI’s Cyber Division, the U.S. Attorney’s Office for the Eastern District of New York, and the National Security Division’s Counterintelligence and Export Control Section. The Criminal Division’s Computer Crime and Intellectual Property Section provided assistance.

Operation MEDUSA was the second recent U.S. cyber operation in recent days, which was described as “a whack-a-mole game between law enforcement and miscreants,” according to the FBI.