Turla’s Snake malware network disrupted by Five Eyes’ authorities

The US Justice Department announced the completion of court-authorized operation MEDUSA, to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake” (aka “Uroburos”), that the US Government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB).

For nearly 20 years, this unit, referred to in court documents as “Turla,” has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which have belonged to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation.

After stealing these documents, Turla exfiltrated them through a covert network of unwitting Snake-compromised computers in the United States and around the world.

Snake malware has been wielded by Turla for decades

The US Government has been investigating Snake and Snake-related malware tools for nearly 20 years, and has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia.

Although Snake has been the subject to several cybersecurity industry reports throughout its existence, Turla has applied numerous upgrades and revisions, and selectively deployed it, all to ensure that Snake remains Turla’s most sophisticated long-term cyberespionage malware implant.

Unless disrupted, the Snake implant persists on a compromised computer’s system indefinitely, typically undetected by the machine’s owner or authorized users. The FBI has observed Snake persist on particular computers despite a victim’s efforts to remediate the compromise.

Snake provides its Turla operators the ability to remotely deploy selected malware tools to extend Snake’s functionality to identify and steal sensitive information and documents stored on a particular machine. Most importantly, the worldwide collection of Snake-compromised computers acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper detection, monitoring, and collection efforts by Western and other signals intelligence services.

Turla uses the Snake network to route data exfiltrated from target systems through numerous relay nodes scattered around the world back to Turla operators in Russia. For example, the FBI, its partners in the US Intelligence Community, together with allied foreign governments, have monitored the FSB’s use of the Snake network to exfiltrate data from sensitive computer systems, including those operated by NATO member governments, by routing the transmission of these stolen data through unwitting Snake-compromised computers in the United States.

How to detect and remediate infections

Throughout the years, cybersecurity companies have been documenting Snake’s evolution and Turla’s activities.

Snake was initially malware that worked on Windows, and then was modified to work on Linux and macOS. Turla used other malware, as well, and various novel tactics.

Through analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications.

With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool named PERSEUS which establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer.

Through the use of PERSEUS, Operation MEDUSA disabled Turla’s Snake malware on compromised computers.

Within the United States, the operation was executed by the FBI on eight computers. For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance.

Although the operation disabled the Snake malware on compromised computers, victims should take additional steps to protect themselves from further harm. The operation to disable Snake did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim.

Moreover, as noted in court documents, Turla frequently deploys a “keylogger” with Snake that Turla can use to steal account authentication credentials, such as usernames and passwords, from legitimate users. Victims should be aware that Turla could use these stolen credentials to fraudulently re-access compromised computers and other accounts.

The FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command Cyber National Mission Force, and six other intelligence and cybersecurity agencies from each of the Five Eyes member nations issued a joint cybersecurity advisory with detailed technical information about the Snake malware that will allow cybersecurity professionals to detect and remediate Snake malware infections on their networks.

“We consider Snake to be the most sophisticated cyber espionage tool in the FSB’s arsenal,” the agencies noted.

Snake “employs means to achieve a rare level of stealth in its host components and network communications” and its “internal technical architecture allows for easy incorporation of new or replacement components” that “facilitates the development and interoperability of Snake instances running on different host operating systems.” Lastly, “Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.”