“Uncoiling the Threat: FBI Dismantles Russian FSB’s ‘Snake’ Malware Network”

The US Department of Justice (DoJ) has announced that it has taken down a long-standing malware operation run by the Federal Security Service of the Russian Federation (FSB). The joint operation, code-named Medusa, was carried out by the DoJ and the Federal Bureau of Investigation (FBI). For nearly two decades, threat group Turla, operating inside the FSB’s notorious Center 16, used Snake malware to steal secrets from NATO-member governments. Following the compromise of target government systems, Turla would exfiltrate sensitive data through a network of compromised machines spread throughout the US and beyond to make detection harder.

## The Snake Malware

Court documents show US authorities have been investigating Snake malware for nearly all of its two decades of existence and had officers assigned to monitor Turla’s activities from a “Known FSB facility in Ryzan, Russia,” according to the Eastern District of New York announcement of operation Medusa. Turla has a long history of cyber-espionage and is one of the oldest intrusion groups that has been tracked for many years by threat hunters. They are focused on classic targets of espionage — government, military, and the defense sector, and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention to themselves.

“There have been occasional high-profile Turla operations, like the Agent.BTZ incident in the early 2000s and the Moonlight Maze activity in the ’90s, but these events are outweighed by a breadth of activity that goes unnoticed,” according to John Hultquist, head of Mandiant intelligence analysis for Google Cloud, citing Mandiant’s CEO and founder Mandia.

## Perseus Tool

The FBI developed a tool named Perseus, which was able to successfully command components of the Snake malware to overwrite itself on compromised systems, the DoJ added. The successful deployment of Perseus was significant in that it demonstrated the ability of the US to launch high-tech operations against foreign malware operators.

“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies — that ends today,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said in the statement. “The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovative use of legal authorities, and working with international allies and private sector partners to amplify our collective impact.”

## Recommendations

While the operation was a significant achievement, Frank van Oeveren, manager of threat intelligence & security research at Fox-IT, part of NCC Group, warned that Turla, as a creative group, should not be underestimated despite the setback to the use of Snake malware. The expectation is that Turla will continue with a different framework, he said.

The success of the operation highlights the need for governments and the private sector to take measures to detect and combat malware attacks. This includes developing and deploying advanced malware detection and response technologies, such as those being developed by cybersecurity firms and government cybersecurity agencies. Governments must also adopt a coordinated approach to sharing intelligence and working with international allies to neutralize malware and other cyber threats.

The US will need to continue to innovate and seek legal authorities to strengthen its cybersecurity posture in the face of a continuing barrage of cyber-attacks from foreign adversaries.