US officials announced the takedown of a covert peer-to-peer (P2P) network of computers infected with “Snake” malware used by Russia’s federal intelligence service for nearly 20 years to spy on the US and its allies.
The “Snake” cyber-espionage tool has been used by threat actors to steal sensitive documents from hundreds of computer systems in at least 50 countries, including those belonging to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation.
The US government has officially attributed the malware to the Turla APT, a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB).
“The US government has been investigating Snake and Snake-related malware tools for nearly 20 years. The US government has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia,” the US Department of Justice said.
The malware operation has been disabled as part of a law enforcement effort referred to as “Operation Medusa” using an FBI-created tool called “Perseus,” which issued commands that caused the Snake malware to overwrite its own vital components. However, the authorities warned that the operation only disabled the “Snake” malware on the infected computers, so victims are advised to conduct their own analysis to find any vulnerabilities or additional hacking tools that would allow threat actors to regain access to the systems.
“Turla frequently deploys a “keylogger” with Snake that Turla can use to steal account authentication credentials, such as usernames and passwords, from legitimate users. Victims should be aware that Turla could use these stolen credentials to fraudulently re-access compromised computers and other accounts,” officials said.
The US Cybersecurity and Infrastructure Security Agency (CISA) together with cybersecurity agencies part of the Five Eyes alliance (US, UK, Canada, Australia, New Zealand) released a lengthy technical advisory detailing Snake’s infrastructure and TTPs (tactics, techniques, and procedures) used by the Turla cyber-espionage group.
