Washington — The FBI disrupted a 20-year-old sophisticated malware network used by the Russian government to collect sensitive information from hundreds of infected computers across 50 countries, the Justice Department announced Tuesday.
Dubbed “Operation Medusa,” the FBI says its court-authorized neutralization of the Kremlin-backed hackers in the U.S. succeeded, thanks to a digital tool called “Perseus” that turned the malware’s functionality against itself and forced the program to self-destruct on infected computers.
Officials say the malicious software known as “Snake” served as a covert avenue by which Russia’s intelligence forces stole and transmitted information from a targeted victim base that included NATO member governments, journalists and financial and technology sectors. Investigators allege the Snake malware had been used since 2004 by an arm of the Federal Security Service of the Russian Federation (FSB) known as Turla to stealthily exfiltrate documents of interest to the Russian government and avoid detection.
“The FSB has used Snake in many operations, and the FSB has demonstrated the value it assigns to Snake by making numerous adjustments and revisions to keep it viable after repeated public disclosures and other mitigations,” court documents unsealed Tuesday said, “On those computers that Turla has compromised, the Snake implant persists on the system indefinitely, typically undetected by the machine’s owner or authorized users.”
According to senior FBI officials, Snake was a “premier espionage tool” for the Russian government as it allowed its users to transmit stolen information via “hop points” across the world on other infected computers, creating a nearly undetectable highway for sensitive foreign records. It was operational until the operation’s completion on Monday, the officials said.
After working with the private sector and victims for a decade, senior FBI officials said they expect the international takedown coordinated with foreign partners would stop Russia’s “very consequential campaign.” The U.S. officials contend Operation Medusa disabled “a significant number of virtual infrastructures” used by the FSB and Turla to deploy the Snake malware. The neutralizing actions this week could have a “cascading impact” on other malicious software systems used by the Russian government that would make reimplementing Snake very difficult, the officials added.
The FBI is working with partners across the globe to ensure Snake’s international functionality remains impaired. Intelligence and cybersecurity agencies — along with partners in Australia, Canada, New Zealand, and the United Kingdom — issued a joint advisory on Tuesday describing Snake’s technical capabilities and ways to fix infected computers.
“The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making [innovative] use of legal authorities, and working with international allies and private sector partners to amplify our collective impact,” Assistant Attorney General Matt Olsen said in a statement Tuesday.
Senior Justice Department officials emphasized the need for victims of the Snake malware to cooperate with investigators and stay up-to-date on patches and fixes for their systems.