Cybersecurity and intelligence agencies from all Five Eyes member countries have taken down the infrastructure used by the Snake cyber-espionage malware operated by Russia’s Federal Security Service (FSB).
Development of the Snake malware began under the name “Uroburos” in late 2003, while early versions of the implant were apparently finalized in early 2004, with Russian state hackers deploying the malware in attacks right after.
The malware is linked to a unit within Center 16 of the FSB, the notorious Russian Turla Hacking Groupand was discontinued following a coordinated effort named Operation MEDUSA.
Among the computers trapped in the peer-to-peer Snake botnet, the FBI also found devices belonging to NATO member governments.
“The Department of Justice, together with our international partners, has taken down a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber espionage, including against our allies in the NATO”, said Attorney General Garland in a news release issued today.
According to court documents unsealed today (affidavit And Search warrant), the US government has closely monitored Snake and Snake-related malicious tools for nearly 20 years while monitoring Russian Turla hackers using Snake from an FSB facility in Ryazan, Russia.
Described as “the FSB’s most sophisticated long-term malicious cyber espionage implant”, Snake enabled its operators to remotely install malware on compromised devices, steal documents and sensitive information (e.g., authentication credentials), to maintain persistence and to mask their malicious activities while using this software. “secret peer-to-peer network.”
The Five Eyes cybersecurity and intelligence agencies also released a joint council with details to help defenders detect and remove Snake malware on their networks.
Disabled via self-destruct command
The FBI has removed all infected devices in the United States while outside the United States the agency is “engaging with local authorities to provide both notice of Snake infection in countries in these authorities and remedial advice”.
“As described in court documents, through analysis of the Snake malware and the Snake Network, the FBI has developed the ability to decipher and decode Snake communications,” the US Department of Justice said. said.
“With information gathered from monitoring the Snake network and analyzing the Snake malware, the FBI developed a tool, named PERSEUS, which establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that cause the Snake implant to be disabled without affecting the host computer or legitimate applications on the computer.”
After deciphering network traffic between NATO and US devices compromised by the Snake malware, the FBI also discovered that Turla operators were using the implant in an attempt to steal what looked like confidential documents. United Nations and NATO.
The search warrant obtained by the FBI allowed the agency to access infected devices, overwrite the malware without affecting legitimate applications and files, and terminate the malware running on the compromised computers.
The FBI is now warning all owners or operators of computers accessed remotely to remove Snake malware and informs them that they may need to remove other malicious tools or malware planted by attackers, including keyloggers which Turla often also deployed to infected systems.
Until it was disrupted, the Snake malware infrastructure, which has been detected in over 50 countries, was used by Russian FSB hackers to collect and steal sensitive data from a wide range of targets, including government networks, research organizations and journalists. .