One of the Russian government’s most sophisticated long-running cyberespionage operations was hacked and disrupted by the FBI as part of a sprawling international effort, officials with the U.S. government announced Tuesday.
The FBI operation dubbed “Medusa” targeted nearly 2o-year-old malware operated by Turla, a unit within the Federal Security Service of the Russian Federation, which has been known for years as one of Russia’s premier cybersespionage outfits.
The group was using and continuously updating a piece of malware known as “Snake” — which dates back to 2004 — to steal sensitive documents from hundreds of computer systems in at least 50 countries, the U.S. Department of Justice said in a statement. The stolen material was then exfiltrated through a covert network of Snake-compromised computers in the U.S. and other countries.
The FBI gained physical access to some of the compromised computers, studied Snake and developed a tool called “Perseus” to decrypt and decode Snake communications. On May 8, the FBI used Perseus to issue commands to Snake to cause it to overwrite its own vital components without affecting the host computer or other legitimate applications on that computer, the officials told reporters during a briefing on Tuesday.
“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” Attorney General Merrick Garland said in a statement. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”
A range of U.S. government agencies and its counterparts around the world issued a joint 48-page cybersecurity advisory on Tuesday detailing the operation, how Snake works and mitigations.
The operation relied on a legal provision known as Rule 41, which allows a judge to grant U.S. investigators access to computers in multiple jurisdictions and take specific actions. The provision has been used in other proactive federal cyber operations including the April 2021 disruption of a likely Chinese espionage operation known as Hafnium, and the April 2022 FBI dismantling of a Russian military intelligence-controlled botnet known as Cyclops Blink. All three operations, along with other cybercrime enforcement actions, are part of a sustained U.S. government push to do more proactive and aggressive cyber operations, as recently described by U.S. Deputy Attorney General Lisa Monaco.
A key aspect of Snake was its peer-to-peer nature, which allowed the Russians to route its espionage and exfiltration activity through compromised computers in trusted locations, making the activity harder to detect. Over several years, the FBI developed methods of distinguishing, decrypting and interpreting Snake network traffic, the FBI alleged in the affidavit filed to the court to get approval for the operation.
According to the affidavit, the FBI was able to identify 19 IP addresses associated with computers in the U.S. that were infected with Snake. Over the course of several years dating back to at least 2015, the FBI and U.S. Intelligence Community has worked with several cooperating victim organizations to learn more about Snake, according to the affidavit. In some cases, victim entities cooperated with the FBI to enable analysis of Snake. But in at least two cases, entities found to have been infected by Snake either fully or partially declined to participate in the FBI’s investigation, according to the affidavit.
Snake-infected computers became nodes in the network, and the malware allowed for both the exfiltration of material from those computers and for those computers to communicate with other infected computers to route stolen material and communications, according to the FBI. A senior FBI official declined Tuesday to identify how many U.S. based computers were infected.
For years intelligence agencies in the U.S. and elsewhere have warned about Turla and the various tools the unit uses to complete its espionage mission.
“Turla is a Russian cyber espionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry,” John Hultquist, the head of Mandiant Intelligence Analysis, said in a statement. “They are focused on the classic targets of espionage — government, military, and the defense sector, and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention to themselves. On occasion, Turla activities have been exposed in major incidents, like the Agent.BTZ incident in the early 2000’s, and the Moonlight Maze activity in the 90s, but these events are outweighed by a breadth of activity that goes unnoticed.”
Updated, 5/9/23: This story has been updated to include additional information from the FBI’s affidavit, a statement from U.S. Attorney General Merrick Garland and a link to the joint cybersecurity advisory.