One of the key pieces of malware in the toolbox of Russian intelligence agents has been driven out of the United States, as the FBI has terminated its entire network after a years-long infiltration and tracking operation. The Russian Federal Security Service (FSB) has used “Snake” for cyber espionage since at least 2004, and it has been described as the most sophisticated tool in the country’s hacking arsenal.
Snake had established a peer-to-peer network of infected computers in the US, which the FBI monitored for several years to develop a full map and learn the system’s internal commands. The agency developed a tool to completely shut the network down, which was deployed in early May after receiving approval from a federal judge.
Russian malware network out of commission in US, but individual compromised computers may still pass sensitive information
According to a Justice Department statement, a FSB unit called “Turla” has operated the Snake malware for nearly 20 years and made use of it to steal data from at least 50 countries. The cyber espionage is generally directed at government agencies and journalists in NATO countries with a focus on stealing confidential documents of interest to the Russian government, but is funneled through a network of compromised computers around the world including a number in the US.
The statement indicates that US authorities have been aware of Snake for nearly all of its lifetime, but that it was difficult to pin down as it is highly sophisticated and something that Russia appears to put substantial resources into. Turla routinely upgrades and revises the malware to evade detection, and developed a unique encoded communications protocol to issue commands via its world-spanning peer-to-peer network of infected devices.
The FBI’s Operation Medusa, using a custom tool called Perseus, has wiped the Russian malware off of all known infected systems in the US. This came after an operation spanning years, initiated in 2016, in which the FBI received consent from owners of several infected systems to monitor traffic on them and ultimately figured out how to decrypt the cyber espionage network’s communications. The operation was able to deploy codes that disable the malware on infected devices without impacting their operation in any other way.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that law enforcement is becoming more sophisticated in taking down botnets and peer-to-peer networks of this nature: “This is great news, although not a brand new law enforcement tactic. Over the last decade or so, law enforcement have done similar bot takedowns by infiltrating the network or command and control servers. It’s a great strategy, although in some cases it resulted in only a limited, temporary disruption, until the bad guys were able to set up new, different botnets. But occasionally, the takedown results in the permanent disruption of that particular malware botnet, and it never again gains the same status and popularity that it previously enjoyed. This one is run by the Russian FSB, with the resources, time, and incentives to put up another similar botnet, so my best guess is that this is only a temporary disruption. Still, anything that increases the cost and effort of the bad guys to do bad things helps everyone else. And this takedown increases the costs for what Russia is doing and that’s a good thing.”
“On a related note, we are starting to see malware botnets increasingly using self-protection mechanisms that try to complicate law enforcement takedowns. That’s to be expected. The good guys figure out how to better fight malware and the malware purveyors fight back with new defenses. This is the malware bot lifecycle,” added Grimes.
While this is a crippling blow to Snake’s operations in the US, the cyber espionage network remains active in other parts of the world. The FBI says that it is communicating with local authorities in other regions about known infections and remediation methods. It is also notifying infected parties in the US due to the possibility of the Russian hackers planting other forms of malware during the time in which they had access.
“Turla” cyber espionage group has been in action since 1996
The Snake malware will continue to be a problem globally for some time, as it is designed to persist on victim systems even after operating system re-installs and other extreme methods. As will the Turla group, which was first observed in 1996 attempting to break into US government agency systems before much of the country even had internet access. The group operates with the full protection and blessing of the Russian state out of a FSB facility in Ryazan and a branch building in Moscow.
While Snake is one of the most advanced cyber espionage tools ever developed, the investigators say that the key to decrypting and disabling it was that cracks can develop due to human error. The malware requires skilled operators to fully take advantage of, and some have made mistakes over the years that opened the door to discovering how it works.
The FBI also does not have a “magic bullet” to offer the public in terms of defeating what remains of the malware, or future re-installations of it. CISA has issued a mitigation guide that suggests fairly standard security hygiene and hardening practices, such as unique passwords and enabling MFA. The agency also said that the more modern a version of an operating system, the more inherent defenses it will have against the cyber espionage tool’s various tricks.
James Lively, Endpoint Security Research Specialist at Tanium, has some additional suggestions: “Organizations can take several steps to protect themselves from malware attacks like the Snake Malware, including ensuring that the organization has an accurate inventory of assets, systems are patched and updated, phishing campaigns and training are undertaken, and strong access controls are implemented. International cooperation can also be improved to tackle cybercrime by encouraging information sharing and signing agreements and NDAs and performing joint investigations.”
“The major lesson to be learned from the disruption of the Snake Malware network is that it only takes one unpatched system or one untrained user to click a phishing link to compromise an entire organization. “Low hanging fruit” or taking the route with the least amount of resistance is often the first avenue that an attacker looks for. A prime example of this is an old unpatched system that is public facing to the internet and has been forgotten about by the organization,” noted Lively.
A side note to this incident is that it is another example of the government actively removing malware from victim systems without their knowledge in a broad way. This was virtually unheard of until the Microsoft Exchange compromises of late 2020 and early 2021, another case in which the FBI issued a remote command to delete a malicious web shell that had been installed on hundreds of victim systems. The FBI provides notice after the fact to any victims that it interacts with in this way.