FBI dismantles 'Snake' malware network created by Russian spies

Russian intelligence agency leveraged the Snake tool to infect computers in over 50 countries

The FBI has successfully disrupted a sophisticated malware network that had been used by Russian spies for nearly two decades to gather sensitive data from hundreds of computers across 50 countries.

The US Department of Justice (DOJ) announced the action [pdf] on Tuesday, stating that the covert malware network known as "Snake" was used by Russia's intelligence agencies to steal and transmit data from a specific set of targets that included NATO member governments, journalists, and the financial and technology sectors.

Investigators alleged that Turla, a unit of the Federal Security Service of the Russian Federation (FSB), had been using the Snake malware since 2004 to stealthily extract documents that were of interest to the Russian government while evading detection.

Snake malware enabled its operators to remotely install other malicious software on compromised devices, extract sensitive information, remain undetected, and conceal their malicious activities through the use of a "covert peer-to-peer network."

In a separate report, the Cybersecurity and Infrastructure Security Agency (CISA) said that the Russian agency had leveraged the Snake tool to infect computers in over 50 countries, including various American institutions such as educational institutions, small businesses, and media organisations. Additionally, critical infrastructure sectors such as government facilities, manufacturing, communications and financial services were also targeted.

According to the CISA report, Snake was designed with the capability to easily integrate new or updated components, and was compatible with computers operating on Windows, Linux and Macintosh operating systems.

Turla, which is also known by the monikers Waterbug and Venomous Bear, is generally regarded by the security research community as one of the most highly advanced hacking groups.

The US government has named the operation aimed at disrupting Turla's Snake malware as "Operation Medusa."

To combat the Snake malware, the FBI created a tool called PERSEUS, which proved to be effective in instructing the components of the malware to overwrite themselves on systems that had been compromised.

"As described in court documents, through analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications," the DOJ said.

By initiating communication sessions with the Snake malware implant on a targeted computer, PERSEUS was able to issue commands that prompted the Snake implant to deactivate itself while leaving the host computer and legitimate applications unaffected.

With a search warrant in hand, the FBI was granted access to the infected devices, enabling the agency to overwrite the malware on these systems without any impact on legitimate applications or files. The warrant also authorised the FBI to terminate any instances of the malware that were actively running on the compromised computers.

The FBI is currently in the process of notifying all owners or operators of computers that were remotely accessed by the Snake malware, instructing them to remove the malware from their systems.

Additionally, they are advising these individuals that they may need to remove any other malicious tools or malware that were implanted by the attackers, such as keyloggers which Turla frequently used on compromised systems.

The agency is collaborating with partners worldwide to ensure that the Snake malware's international capabilities remain obstructed.

The US agencies, in conjunction with their counterparts in Australia, Canada, New Zealand and the UK, have released a joint advisory, outlining steps to fix machines that have been infected with the Snake malware.

"The Justice Department will use every weapon in our arsenal to combat Russia's malicious cyber activity, including neutralising malware through high-tech operations, making [innovative] use of legal authorities, and working with international allies and private sector partners to amplify our collective impact," assistant attorney general Matt Olsen said.