The Justice Department today revealed the conclusion of a court-authorized operation, code-named MEDUSA, to interfere with a worldwide peer-to-peer network of computer systems jeopardized by advanced malware, called “Snake”, that the U.S. Government credits to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB). For almost twenty years, this system, described in court files as “Turla,” has actually utilized variations of the Snake malware to take delicate files from numerous computer system systems in a minimum of 50 nations, which have actually come from North Atlantic Treaty Organization (NATO) member federal governments, reporters, and other targets of interest to the Russian Federation. After taking these files, Turla exfiltrated them through a concealed network of unwitting Snake-jeopardized computer systems in the United States and around the globe.
Operation MEDUSA handicapped Turla’s Snake malware on jeopardized computer systems through making use of an FBI-created tool called PERSEUS, which provided commands that triggered the Snake malware to overwrite its own important parts. Within the United States, the operation was carried out by the FBI pursuant to a search warrant provided by U.S. Magistrate Judge Cheryl L. Pollak for the Eastern District of New York, which licensed remote access to the jeopardized computer systems. This early morning, the court unsealed redacted variations of the affidavit sent in assistance of the application for the search warrant, and of the search warrant provided by the court. For victims outside the United States, the FBI is engaging with regional authorities to offer both notification of Snake infections within those authorities’ nations and removal assistance.
“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Attorney General Merrick B. Garland. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” said Deputy Attorney General Lisa O. Monaco. “By combining this action with the release of the information victims need to protect themselves, the Justice Department continues to put victims at the center of our cybercrime work and take the fight to malicious cyber actors.”
“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies – that ends today,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovative use of legal authorities, and working with international allies and private sector partners to amplify our collective impact.”
“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes. Meeting the challenge of cyberespionage requires creativity and a willingness to use all lawful means to protect our nation and our allies,” said U.S. Attorney Breon Peace for the Eastern District of New York. “The court-authorized remote search and remediation announced today demonstrates my office and our partners’ commitment to using all of the tools at our disposal to protect the American people.”
“Today’s announcement demonstrates the FBI’s willingness and ability to pair our authorities and technical capabilities with those of our global partners to disrupt malicious cyber actors,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “When it comes to combating Russia’s attempts to target the United States and our allies using complex cyber tools, we will not waver in our work to dismantle those efforts. When it comes to any nation state engaged in cyber intrusions which put our national security at risk, the FBI will leverage all tools available to impose cost on those actors and to protect the American people.”
As detailed in court files, the U.S. Government has actually been examining Snake and Snake-associated malware tools for almost twenty years. The U.S. federal government has actually kept track of FSB officers appointed to Turla carrying out everyday operations utilizing Snake from a recognized FSB center in Ryazan, Russia.
Although Snake has actually been the based on a number of cybersecurity market reports throughout its presence, Turla has actually used various upgrades and modifications, and selectively released it, all to make sure that Snake stays Turla’s most advanced long-lasting cyberespionage malware implant. Unless interfered with, the Snake implant continues on a jeopardized computer system’s system forever, usually undiscovered by the device’s owner or licensed users. The FBI has actually observed Snake continue on specific computer systems regardless of a victim’s efforts to remediate the compromise.
Snake offers its Turla operators the capability to from another location release chosen malware tools to extend Snake’s performance to recognize and take delicate info and files saved on a specific device. Most notably, the around the world collection of Snake-jeopardized computer systems serves as a concealed peer-to-peer network, which makes use of tailored interaction procedures created to hinder detection, tracking, and collection efforts by Western and other signals intelligence services.
Turla utilizes the Snake network to path information exfiltrated from target systems through various relay nodes spread around the globe back to Turla operators in Russia. For example, the FBI, its partners in the U.S. Intelligence Community, together with allied foreign federal governments, have actually kept track of the FSB’s usage of the Snake network to exfiltrate information from delicate computer system systems, consisting of those run by NATO member federal governments, by routing the transmission of these taken information through unwitting Snake-jeopardized computer systems in the United States.
As explained in court files, through analysis of the Snake malware and the Snake network, the FBI established the ability to decrypt and decipher Snake interactions. With info obtained from keeping an eye on the Snake network and studying Snake malware, the FBI established a tool called PERSEUS which develops interaction sessions with the Snake malware implant on a specific computer system, and concerns commands that triggers the Snake implant to disable itself without impacting the host computer system or genuine applications on the computer system.
Today, to empower network protectors worldwide, the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the U.S. Cyber Command Cyber National Mission Force, and 6 other intelligence and cybersecurity firms from each of the Five Eyes member countries provided a joint cybersecurity advisory (the Joint Advisory) with comprehensive technical info about the Snake malware that will enable cybersecurity specialists to find and remediate Snake malware infections on their networks. The FBI and U.S. Department of State are likewise offering extra info to regional authorities in nations where computer systems that have actually been targeted by the Snake malware have actually lain.
Although Operation MEDUSA disabled the Snake malware on jeopardized computer systems, victims must take extra actions to secure themselves from more damage. The operation to disable Snake did not spot any vulnerabilities or look for or eliminate any extra malware or hacking tools that hacking groups might have put on victim. The Department of Justice highly motivates network protectors to examine the Joint Advisory for more assistance on detection and patching. Moreover, as kept in mind in court files, Turla often releases a “keylogger” with Snake that Turla can utilize to take account authentication qualifications, such as usernames and passwords, from genuine users. Victims must know that Turla might utilize these taken qualifications to fraudulently re-access jeopardized computer systems and other accounts.
The FBI has actually offered notification of the court-authorized operation to all owners or operators of the computer systems from another location accessed pursuant to the search warrant.
Assistant U.S. Attorney Ian C. Richardson for the Eastern District of New York is prosecuting the case, with important support offered by the National Security Division’s Counterintelligence and Export Control Section.
The efforts to interfere with the Snake malware network were led by the FBI New York Field Office, FBI’s Cyber Division, the U.S. Attorney’s Office for the Eastern District of New York, and the National Security Division’s Counterintelligence and Export Control Section. The Criminal Division’s Computer Crime and Intellectual Property Section offered important support. Those efforts would not have actually succeeded without the collaboration of various private-sector entities, consisting of those victims who enabled the FBI to keep an eye on Snake interactions on their systems.
