\nHow the US dismantled a malware network used by Russian spies to steal government secrets<\/br>
\n2023-05-10 22:48:25<\/br><\/p>\n
The FBI tracked the cyber-espionage malware for close to two decades<\/h2>\n\n\t\t\t![](\"https:\/\/i0.wp.com\/techcrunch.com\/wp-content\/uploads\/2017\/10\/kremlin-hacking.jpg?w=1140&ssl=1\")
\n\t\t<\/div>\n<\/p><\/div>\n\nThe U.S. government<\/span> said it has disrupted a long-running Russian cyber espionage campaign that stole sensitive information from the U.S. and NATO governments, an operation that took the feds almost 20 years.<\/p>\nThe Justice Department announced<\/a> on Tuesday that an FBI operation successfully dismantled the \u201cSnake\u201d malware network used by Turla, a notorious hacking group long affiliated with Russia\u2019s Federal Security Service (FSB). Turla was previously linked to cyberattacks targeting U.S. Central Command, NASA and the Pentagon.<\/p>\nU.S. officials describe Snake as the \u201cmost sophisticated cyber espionage tool in the FSB\u2019s arsenal.\u201d<\/p>\n
The DOJ and its global partners identified the Snake malware in hundreds of computer systems in at least 50 countries. Prosecutors said the Russian spies behind the Turla group used the malware to target NATO member states \u2014 and other targets of the Russian government \u2014 as far back as 2004.<\/p>\n
In the United States, the FSB used its sprawling network of Snake-infected computers to target industries including education, small businesses and media organizations, along with critical infrastructure sectors including government facilities, financial services, manufacturing and communications. The FBI said it obtained information indicating that Turla had also used Snake malware to target the personal computer of a journalist at an unnamed U.S. news media company who had reported on the Russian government.<\/p>\n
Prosecutors added that Snake persists on a compromised computer\u2019s system \u201cindefinitely,\u201d despite efforts by the victim to neutralize the infection.<\/p>\n
After stealing sensitive documents, Turla exfiltrated this information through a covert peer-to-peer network of Snake-compromised computers in the U.S. and other countries, the DOJ said, making the network\u2019s presence harder to detect.<\/p>\n
From Brooklyn to Moscow<\/h2>\n
According to the FBI\u2019s affidavit<\/a>, U.S. authorities monitored the malware\u2019s spread for several years, along with the Turla hackers who operated Snake from FSB facilities in Moscow and the nearby city of Ryazan.<\/p>\nThe FBI said it developed a tool called \u201cPerseus\u201d \u2014 the Greek hero who slayed monsters \u2014 that allowed its agents to identify network traffic that the Snake malware had tried to obfuscate.<\/p>\n
Between 2016 and 2022, FBI officials identified the IP addresses of eight compromised computers in the U.S., located in California, Georgia, Connecticut, New York, Oregon, South Carolina and Maryland. (The FBI said it also alerted local authorities to take down Snake infections on compromised machines located outside of the United States.)<\/p>\n
With the victim\u2019s consent, the FBI obtained remote access to some of the compromised machines and monitored each for \u201cyears at a time.\u201d This allowed the FBI to identify other victims in the Snake network, and to develop capabilities to impersonate the Turla operators and issue commands to the Snake malware as if the FBI agents were the Russian hackers.<\/p>\n
Then this week, after obtaining a search warrant from a federal judge in Brooklyn, New York, the FBI was given the green light to mass-command the network to shut down.<\/p>\n
The FBI used its Perseus tool to mimic Snake\u2019s built-in commands, which when transmitted by Perseus from an FBI computer, \u201cwill terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the subject computers.\u201d<\/p>\n
The affidavit said the FBI used Perseus to trick the Snake malware to self-delete itself on the very computers it had infected. The FBI says it believes this action has permanently disabled the Russian-controlled malware on infected machines and will neutralize the Russian government\u2019s ability to further access the Snake malware currently installed on the compromised computers.<\/p>\n
The feds warned that if it hadn\u2019t taken action to dismantle the malware network when it did, the Russian hackers could have learned \u201chow the FBI and other governments were able to disable the Snake malware and harden Snake\u2019s defenses.\u201d<\/p>\n
While the FBI has disabled the Snake malware on compromised computers, the DOJ warned that the Russian hackers could still have access to compromised machines, since the operation did not search for or remove any additional malware or hacking tools that the hackers may have placed on victim networks. The feds also warned that Turla frequently deploys a \u201ckeylogger\u201d on victims\u2019 machines to steal account authentication credentials, such as usernames and passwords, from legitimate users.<\/p>\n
U.S. cybersecurity agency CISA launched a 48-page joint advisory<\/a> to help defenders detect and remove Snake malware on their networks.<\/p>\n
\n\t\t<\/div>\n<\/p><\/div>\nThe U.S. government<\/span> said it has disrupted a long-running Russian cyber espionage campaign that stole sensitive information from the U.S. and NATO governments, an operation that took the feds almost 20 years.<\/p>\n The Justice Department announced<\/a> on Tuesday that an FBI operation successfully dismantled the \u201cSnake\u201d malware network used by Turla, a notorious hacking group long affiliated with Russia\u2019s Federal Security Service (FSB). Turla was previously linked to cyberattacks targeting U.S. Central Command, NASA and the Pentagon.<\/p>\n U.S. officials describe Snake as the \u201cmost sophisticated cyber espionage tool in the FSB\u2019s arsenal.\u201d<\/p>\n The DOJ and its global partners identified the Snake malware in hundreds of computer systems in at least 50 countries. Prosecutors said the Russian spies behind the Turla group used the malware to target NATO member states \u2014 and other targets of the Russian government \u2014 as far back as 2004.<\/p>\n In the United States, the FSB used its sprawling network of Snake-infected computers to target industries including education, small businesses and media organizations, along with critical infrastructure sectors including government facilities, financial services, manufacturing and communications. The FBI said it obtained information indicating that Turla had also used Snake malware to target the personal computer of a journalist at an unnamed U.S. news media company who had reported on the Russian government.<\/p>\n Prosecutors added that Snake persists on a compromised computer\u2019s system \u201cindefinitely,\u201d despite efforts by the victim to neutralize the infection.<\/p>\n After stealing sensitive documents, Turla exfiltrated this information through a covert peer-to-peer network of Snake-compromised computers in the U.S. and other countries, the DOJ said, making the network\u2019s presence harder to detect.<\/p>\n According to the FBI\u2019s affidavit<\/a>, U.S. authorities monitored the malware\u2019s spread for several years, along with the Turla hackers who operated Snake from FSB facilities in Moscow and the nearby city of Ryazan.<\/p>\n The FBI said it developed a tool called \u201cPerseus\u201d \u2014 the Greek hero who slayed monsters \u2014 that allowed its agents to identify network traffic that the Snake malware had tried to obfuscate.<\/p>\n Between 2016 and 2022, FBI officials identified the IP addresses of eight compromised computers in the U.S., located in California, Georgia, Connecticut, New York, Oregon, South Carolina and Maryland. (The FBI said it also alerted local authorities to take down Snake infections on compromised machines located outside of the United States.)<\/p>\n With the victim\u2019s consent, the FBI obtained remote access to some of the compromised machines and monitored each for \u201cyears at a time.\u201d This allowed the FBI to identify other victims in the Snake network, and to develop capabilities to impersonate the Turla operators and issue commands to the Snake malware as if the FBI agents were the Russian hackers.<\/p>\n Then this week, after obtaining a search warrant from a federal judge in Brooklyn, New York, the FBI was given the green light to mass-command the network to shut down.<\/p>\n The FBI used its Perseus tool to mimic Snake\u2019s built-in commands, which when transmitted by Perseus from an FBI computer, \u201cwill terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the subject computers.\u201d<\/p>\n The affidavit said the FBI used Perseus to trick the Snake malware to self-delete itself on the very computers it had infected. The FBI says it believes this action has permanently disabled the Russian-controlled malware on infected machines and will neutralize the Russian government\u2019s ability to further access the Snake malware currently installed on the compromised computers.<\/p>\n The feds warned that if it hadn\u2019t taken action to dismantle the malware network when it did, the Russian hackers could have learned \u201chow the FBI and other governments were able to disable the Snake malware and harden Snake\u2019s defenses.\u201d<\/p>\n While the FBI has disabled the Snake malware on compromised computers, the DOJ warned that the Russian hackers could still have access to compromised machines, since the operation did not search for or remove any additional malware or hacking tools that the hackers may have placed on victim networks. The feds also warned that Turla frequently deploys a \u201ckeylogger\u201d on victims\u2019 machines to steal account authentication credentials, such as usernames and passwords, from legitimate users.<\/p>\n U.S. cybersecurity agency CISA launched a 48-page joint advisory<\/a> to help defenders detect and remove Snake malware on their networks.<\/p>\nFrom Brooklyn to Moscow<\/h2>\n