FBI disrupts long-running Russian ‘Snake’ malware network

US officials announced that the FBI hacked and successfully disrupted a long-running Russian cyberespionage operation operated by Turla, a unit within Russia’s Federal Security Service (FSB).
The US Department of Justice and an international law enforcement coalition have alleged that Turla had been using a malware called ‘Snake’ since 2004 to steal sensitive information from hundreds of computer systems in at least 50 countries across North America, South America, Europe, Africa, Asia, and Australia. The stolen material would then be taken out through a network of Snake-compromised computers.

Officials shared that the FBI, under the operation codenamed ‘Medusa,’ gained physical access to some of the compromised computers, studied the Snake malware and then developed a tool called ‘Perseus’ to decrypt and decode Snake communications. On 8 May, the FBI used Perseus to issue commands to Snake that lead it to overwrite its codes without affecting the host computer or legitimate applications.

A joint Cybersecurity Advisory (CSA) by several US government agencies and their global counterparts provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications.