The FBI has succeeded in taking an international Russian computer network offline. Through this network, Russian state hackers stole sensitive and confidential data from hundreds of systems in at least 50 countries for nearly two decades. The affected countries have been notified of the events.
So reports the US Department of Justice in a statement (1).
It involves a global computer network that were infected with the Russian malware "Snake. According to the ministry, the Russian security service FSB is responsible for the creation of this malware. A unit of this service, also known as Turla, used different versions of the Snake malware to steal sensitive documents from hundreds of computers. At least 50 NATO member countries fell victim to this, as well as journalists and other targets of interest to Russia.
"After stealing these documents, Turla exfiltrated them through a covert network of Snake-affected computers in the United States and around the world," the Justice Department writes. This network used customized communication protocols to make detection and monitoring impossible. Thus, it was impossible for security researchers to figure out who had stolen the files.
The FBI managed to disable the Russian malware with a tool it had developed itself: PERSEUS. With it, the FBI sent commands to the Snake malware, causing it to self-destruct. Victims were notified of the incident. Furthermore, the FBI is working with national investigative and enforcement agencies to explain how victims can recognize Snake malware and they can restore their systems.
All this happened under the banner of Operation MEDUSA. In total, nearly 20 years of investigation into Russian malware tools preceded it. During this period, the US government followed several FSB officials who worked from their base in Ryazan, Russia. According to the US, the Russian security service is responsible for developing "the most advanced cyber-espionage malware."
Turla used the Snake network to send captured data via relay nodes scattered around the world to FSB employees in Russia. After analyzing the Russian malware, the FBI was able to develop a tool to monitor and analyze communication sessions that passed through this network, and destroy the malware.
"Although Operation MEDUSA disabled the Snake malware on affected computers, victims should take additional measures to protect themselves from further damage," the Justice Department states. The operation did not fix any vulnerabilities or close any security holes. It also did not search for additional malware or hacking tools that hackers may have installed on their victims' networks.
Finally, the department emphasizes, Turla often used a keylogger to set victims' login and authentication credentials. "Victims should be aware that Turla can use this stolen information to regain access to infected computers and other accounts," the department said.
Dave Maasland, CEO of ESET Netherlands, said on Twitter that Operation MEDUSA comes at a crucial time in the war between Russia and Ukraine. "This means that Russia's information position will be hit rock hard, with potentially noticeable consequences in the war. This is big."
Maasland stressed that the FBI's action comes at a "particularly sensitive moment in the war. Indeed, Ukrainian soldiers are about to launch a counteroffensive to drive out Russian troops. "It is not inconceivable that the potential disruption of Russian spying activities could have an impact on the course of this conflict."
https://www.justice.gov/usao-edny/pr/justice-department-announces-court-authorized-disruption-snake-malware-network
