The Five Eyes member nations' cybersecurity and intelligence agencies dismantled the infrastructure of the Snake cyber-espionage malware that was operated by Russia's Federal Security Service (FSB).
The Snake malware, initially known as "Uroburos" was developed in late 2003, and the first versions of the implant were completed by early 2004. Russian state hackers began using the malware in their attacks shortly after.
The Snake peer-to-peer botnet had infected computers of some NATO member governments. The malware was traced back to a unit within Center 16 of the FSB, which is the infamous Russian Turla hacking group. The botnet was disrupted due to a collaborative effort called Operation MEDUSA.
Attorney General Garland announced in a press release that the Justice Department, with the help of international partners, has dismantled a global network of malware-infected computers that were being used for cyber-espionage by the Russian government.
This activity had been going on for nearly two decades and targeted both the United States and our NATO allies. Court documents unsealed today in the form of an affidavit and search warrant show that U.S. officials had been tracking the Snake and Snake-related malware tools for almost 20 years. Additionally, they monitored Russian Turla hackers who used Snake from an FSB facility in Ryazan, Russia.
Snake, which is considered the most advanced malware implant used by FSB for long-term cyber espionage, allowed remote installation of malware on compromised devices, stealing sensitive documents and authentication credentials, maintaining persistence and hiding malicious activities. Five Eyes cybersecurity and intel agencies have issued a joint advisory with information to help detect and remove Snake malware from networks.
Disabled via self-destruct command
They removed all infected devices within the U.S. while also notifying local authorities in other countries about the Snake malware and providing guidance on how to fix it. They were able to decrypt and decode the Snake communications through analysis of the malware and network, as explained in court documents by the U.S. Justice Department.
The FBI created PERSEUS, a tool that communicates with the Snake malware on a computer and commands it to disable itself. This action does not harm the host computer or any legitimate applications. The tool was developed using information obtained by monitoring the Snake network and analyzing the malware.
The FBI decrypted network traffic between NATO and U.S. devices infected with Snake malware. They discovered that Turla operators utilized the malware to attempt stealing what appeared to be classified documents from United Nations and NATO.
The FBI was able to use the search warrant to access the infected devices, remove the malware without causing damage to any legitimate files or applications, and shut down the malware operating on the hacked computers.
The FBI is informing all owners or operators of computers that have been remotely accessed to remove the Snake malware. They are also warning them that they may need to remove other types of malicious tools or malware that were planted by the attackers, including keyloggers that Turla often uses on infected systems.
Russian FSB hackers used the Snake malware infrastructure to gather and steal sensitive data from various targets, including government networks, research organizations, and journalists in more than 50 countries before it was disrupted.
Since 1996, there have been cyber-espionage campaigns targeting various governments, embassies, and research facilities around the world. Turla, also known as Waterbug and Venomous Bear, is believed to be responsible for these attacks, including those on the U.S. Central Command, the Pentagon, NASA, several Eastern European Ministries of Foreign Affairs, and the Finnish Foreign Ministry.
No data about the Initial Access Vector
The releases do not describe the initial access vector of this malware, but you can count on it that the vast majority has been social engineering, phishing and/or spear phishing.
Here is the CISA technical background, fascinating reading! https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
