FBI Dismantles Russian Malware That Stole Government Secrets

The U.S. government confirmed this week that it has destroyed a Russian cyber espionage campaign that has been stealing sensitive information from the federal government and NATO allies.

A Justice Department press release revealed that an FBI operation successfully dismantled the ‘Snake’ malware network, which it has been monitoring for almost 20 years.

The malicious software has been linked to Turla, a notorious hacking group with ties to Russia’s security agency, the FSB. The group is believed to be responsible for previous cyber attacks against the Pentagon, NASA, research organizations and journalists.

What is Snake?

U.S. officials describe Snake as the “most sophisticated cyber espionage tool in the FSB’s arsenal.” Its development began in 2003, under the name “Uroboros,” and Russian state hackers began deploying the malware the following year.

Snake enables its operators to remotely install malware on compromised devices, steal sensitive documents and information, maintain persistence, and hide their malicious activities by using its “covert peer-to-peer network.”

The Justice Department and its Five Eyes partners (in Australia, Canada, New Zealand, and the United Kingdom) identified Snake malware in hundreds of computer systems in at least 50 countries.

Prosecutors said that Snake persists on a compromised computer system “indefinitely,” despite efforts by the victim to neutralize the infection.

They added that Russia’s security agency used its network of Snake-infected computers to target organizations across a range of sectors, including education, media, government facilities, financial services, manufacturing, and communications.

The FBI said that it gathered information indicating that the Turla group has also used Snake to target the personal computer of a journalist at an unnamed U.S. news media company who had reported on the Russian government.

Killing the beast

According to the FBI’s affidavit, authorities in the U.S. monitored the spread of Snake for several years. During this time, they developed a tool called Perseus that enabled their agents to identify network traffic that the malware had obfuscated.

Between 2016 and 2022, FBI officials identified the IP addresses of eight computers infected with Snake in California, Georgia, Connecticut, New York, Oregon, South Carolina, and Maryland.

Having gained consent from the owners of those computers, the FBI obtained remote access to some of the compromised machines. It then observed the computers over the course of several years, tracking Snake and identifying further victims.

Meanwhile, the FBI developed capabilities to impersonate Turla and issue commands to the Snake malware as though they came from the group.

A breakthrough came in the investigation this week, as the FBI was given permission from a federal judge to mass-command the network to shut down.

Its agents used Perseus to trick the Snake malware to self-delete itself on the computers it had infected.

The FBI said that it believes this action has permanently disabled the Russian-controlled malware and will prevent the Russian government from accessing the malware currently installed on the compromised computers.

What next?

Although the FBI is confident that its actions have disabled Snake, the potential for malicious activity remains.

The Justice Department warned that Russian hackers could still have access to the compromised machines, because the operation didn’t search for or remove any additional malware or hacking tools.

Meanwhile, the FBI noted that Turla frequently uses keyloggers on victims’ machines to capture login credentials, such as usernames and passwords. If they have this information, they could gain unauthorized access to sensitive information and might be able to launch additional attacks.

The U.S. cybersecurity agency CISA has published a report that helps organizations and individuals detect and remove Snake malware on their systems.