The United States Justice Department has completed an operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers that have been compromised by a Russian malware, called Snake.
The Snake malware was used by a special unit within the Federal Security Service of the Russian Federation (FSB) known as Turla. Turla has reportedly used the malware to steal sensitive documents in 50 countries across North America, South America, Europe, Africa, Asia, and Australia. After stealing the documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers worldwide.
Operation MEDUSA used the FBI-created tool, PERSEUS to dismantle the Snake’s architecture. The tool issued commands that caused the Snake malware to overwrite its vital components. The operation was executed by the FBI through a search warrant issued by the US magistrate Judge Cheryl L. Pollak. For victims outside the US, the FBI is working with the concerned local authorities in the matter.
“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Attorney General Merrick B. Garland.
The malware is sophisticated and has gone through multiple revisions and upgrades over the two-decade period. Snake’s custom communication protocols employ encryption and fragmentation to maintain confidentiality and are designed to avoid detection. Moreover, the internal structure of Snake was such that it was easy to incorporate new components. Snake can also be used across-platform, making it one of the most sophisticated cyber espionage tools designed by the FSB.
The FSB began developing Snake as Uroburos in late 2003. Development of initial versions of the implant was completed by 2004 and Snake was ready for operation shortly thereafter. Although Operation MEDUSA disabled Snake malware on compromised computers, the operation didn’t patch any vulnerabilities or search and remove any other malware. Moreover, as Turla frequently deploys a keylogger with Snake, it’s possible that the information is already available with the FSB, which can be used again later for espionage.
In the News: Final Cut Pro and Logic Pro rolling out to iPad soon