The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as Snake wielded by Russia’s Federal Security Service (FSB).
Snake, dubbed the “most sophisticated cyber espionage tool,” is the handiwork of a Russian state-sponsored group called Turla (aka Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), which the U.S. government attributes to a unit within Center 16 of the FSB.
The threat actor has a track record of heavily focusing on entities in Europe, the Commonwealth of Independent States (CIS), and countries affiliated with NATO, with recent activity expanding its footprint to incorporate Middle Eastern nations deemed a threat to countries supported by Russia in the region.
“For nearly 20 years, this unit […] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation,” the Justice Department said.
“After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world.”
The neutralization was orchestrated as part of an effort dubbed Operation MEDUSA by means of a tool created by the U.S. Federal Bureau of Investigation (FBI) codenamed PERSEUS that permitted the authorities to issue commands to the malware that caused it to “overwrite its own vital components” on infected machines.
The self-destruct instructions, engineered after decrypting and decoding the malware’s network communications, caused the “Snake implant to disable itself without affecting the host computer or legitimate applications on the computer,” the agency said.
Snake, according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is designed as a covert tool for long-term intelligence collection on high-priority targets, enabling the adversary to create a peer-to-peer (P2P) network of compromised systems across the world.
What’s more, several systems in the P2P network served as relay nodes to route disguised operational traffic to and from Snake malware implanted on FSB’s ultimate targets, making the activity challenging to detect.
The C-based cross-platform malware further employs custom communication methods to add a new layer of stealth and features a modular architecture that allows for an efficient way to inject or modify components to augment its capabilities and retain persistent access to valuable information.
“Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity,” CISA said, adding initial versions of the implant were developed around early 2004.
“The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment.”
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Infrastructure associated with the Kremlin-backed group has been identified in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, although its targeting is assessed to be more tactical, encompassing government networks, research facilities, and journalists.
Victimized sectors within the U.S. include education, small businesses, and media organizations, as well as critical infrastructure sectors such as government facilities, financial services, critical manufacturing, and communications.
The development comes a little over a year after U.S. law enforcement and intelligence agencies disarmed a modular botnet known as Cyclops Blink controlled by another Russian nation-state actor referred to as Sandworm.