The US government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced strain of malware known as snake performed by the Federal Security Service (FSB) of Russia.
Called “the most sophisticated cyber espionage tool,” Snake is the work of a Russian state-sponsored group called Turla (also known as Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), which the US government attributes to a unit within the FSB’s Center 16.
The threat actor has a history of focusing heavily on entities in Europe, the Commonwealth of Independent States (CIS) and NATO-affiliated countries, with recent activities expanding its footprint to include nations from the ‘Middle East considered a threat to the countries supported by Russia in the region.
“For almost 20 years, this unit […] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists and other targets of interest for the Russian Federation.” the Justice Department said.
“After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world.”
The neutralization was orchestrated as part of an effort called Operation MEDUSA using a tool created by the US Federal Bureau of Investigation (FBI) codenamed PERSEUS that allowed authorities to issue commands to malware that caused it to “overwrite its own vital components.” “on infected machines.
The self-destruct instructions, designed after decrypting and decoding the malware’s network communications, caused the “Snake implant to be deactivated without affecting the host computer or legitimate applications on the computer,” said the agency
Snake, according to an advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA), is designed as a covert tool for long-term intelligence gathering on high-priority targets, which allows the adversary to create a peer-to-peer (P2P). ) network of compromised systems worldwide.
Additionally, several systems in the P2P network served as relay nodes to route disguised operational traffic from the Snake malware planted to FSB end targets, making the activity difficult to detect.
The C-based cross-platform malware further employs custom communication methods to add a new layer of stealth and features a modular architecture that allows for an efficient way to inject or modify components to increase their capabilities and maintain persistent access to valuable information.
“Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity,” CISA said, adding that initial versions of the implant were developed early of 2004.
“The name Uroburos is appropriate, as the FSB circulated it through almost constant stages of upgrading and redevelopment.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
Infrastructure associated with the Kremlin-backed group has been identified in more than 50 countries in North America, South America, Europe, Africa, Asia and Australia, although its orientation is assessed as more tactical, which it includes government networks, research facilities and journalists. .
Affected sectors in the US include education, small businesses and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing and communications.
Despite these setbacks, Turla remains an active and formidable adversary, releasing a range of tactics and tools to breach its targets on Windows, macOS, Linux, and Android.
The development comes just over a year after US intelligence agencies and law enforcement dismantled a modular botnet known as Cyclops Blink controlled by another known Russian nation-state actor like Sandworm.
The U.S. government recently neutralized Russia’s most sophisticated Snake cyber espionage tool after a major security operation. The government identified malicious activities linked to the tool in 2018, but only recently applied a technical disruption that blocked the malware’s ability to function effectively.
The Snake malware operates like a computer virus and can spread quickly throughout an organization’s networks, acting as a malicious agent that steals sensitive data or conducts espionage. It is particularly useful at covering its tracks and passing through traditional security systems undetected.
However, the U.S. government and the Department of Homeland Security (DHS) have managed to systematically disrupt the Snake malware and prevent it from posing any further threat to network security. The authorities have used this technical disruption to limit the capacity of the Snake tool and make it much more difficult for hackers to use the software to target their desired victims.
The technical disruption resulted from the government utilizing its expertise in cybersecurity, along with relevant technologies and products from trusted companies. This includes leveraging services from companies, like Ikaroa, who specialize in full stack solutions for network monitoring, defense, and management that can help organizations better defend themselves against malicious actors.
This is just the latest example of the US government’s commitment to strengthening its security systems and preventing attack from malicious actors in the cyber domain. By disrupting the Snake malware, the government has effectively neutralized one of the most sophisticated espionage tools used by Russia. It is likely that similar methods will be applied to prevent similar malicious activities in the future.