The Five Eyes member nations’ cybersecurity and intelligence agencies collaborated to dismantle the infrastructure of the Snake cyber-espionage malware, originally developed by Russia’s FSB, which had its roots in the Uroburos project dating back to 2003, and was deployed in attacks soon after its completion in 2004.
Operation MEDUSA, a coordinated effort by cybersecurity agencies, successfully disrupted the Snake malware associated with the Russian Turla hacking group within Center 16 of the FSB, revealing compromised devices from NATO member governments within the Snake’s peer-to-peer botnet.
The Justice Department and international partners have dismantled a global network of malware-infected computers used by the Russian government for cyber espionage against NATO allies for almost 20 years.
Snake, known as the FSB’s advanced long-term cyberespionage malware, enabled operators to perform the following illicit tasks remotely:-
- Install malware
- Steal sensitive information
- Maintain persistence
- Hide malicious activities via a covert peer-to-peer network
Targets of Russian FSB hackers
The Snake malware infrastructure, utilized by Russian FSB hackers to collect and steal sensitive data from targets across over 50 countries, was finally disrupted.
Here below, we have mentioned the targets:-
- Government networks
- Research organizations
- Journalists
Since 1996, Turla, also known as Waterbug and Venomous Bear, has allegedly been behind cyber-espionage campaigns, targeting a range of entities such as governments, embassies, and research facilities, with some notable attacks including the U.S. Central Command, Pentagon, and NASA.
Five Eyes agencies have released an advisory to aid defenders in identifying and removing Snake malware. The FBI works with local authorities outside the US to provide notice of infections and remediation guidance. At the same time, infected devices within the US have been taken down.
By analyzing the Snake malware and network, the FBI created a decryption tool called PERSEUS that communicates with the malware on targeted computers, issuing commands to disable the Snake implant without impacting the host computer or legitimate applications.
The FBI decrypted network traffic between NATO and U.S. devices infected by Snake malware, discovering that Turla operators attempted to steal apparent confidential documents from the United Nations and NATO, and subsequently gained access to the compromised devices, removed the malware, and terminated its operation while preserving legitimate apps and files.
The FBI is alerting computer owners and operators about the Snake malware, advising them to remove it along with other potential malicious tools or malware like keyloggers that the attackers may have planted.