Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Feds Dismember Russia's 'Snake' Cyberespionage Operation

Operation Medusa: FBI Tool Instructs Turla Group's Malware to Self-Destruct
Feds Dismember Russia's 'Snake' Cyberespionage Operation
"Perseus with the Head of Medusa" by Benvenuto Cellini (1500-1571) in Florence, Italy (Image: Shutterstock)

Federal prosecutors said Tuesday that they had disrupted a Russian intelligence cyberespionage operation by targeting malware used by Kremlin hackers to steal classified and sensitive information. The disruption occurred through the remote deployment of an FBI tool dubbed Perseus that issued commands causing the malware, known as Snake, to overwrite itself.

See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots

A U.S. District Court judge issued a search and seizure order Thursday authorizing the FBI to use the tool to target eight U.S. systems infected by Snake as part of an effort the Department of Justice dubbed "Medusa." In Greek mythology, Perseus slayed the Gorgon Medusa after being tricked into the quest by his would-be father-in-law.

The FBI in a sworn statement tied the malware to a unit of Russia's Federal Security Service also known as Turla, a group also dubbed "Krypton," "Venomous Bear" and "Waterbug" by security researchers.

Turla regularly targets both government agencies and the private sector, and is known to have stolen documents from hundreds of systems worldwide. Its victims include NATO governments, journalists and others of interest to Moscow.

Michael J. Driscoll, assistant director in charge of the FBI's New York field office, described Snake as the Russian government's "foremost cyberespionage tool."

Most Snake infections use the host computer as a routing point in a peer-to-peer network used by Russian state hackers, the FBI said, "to make it more difficult for compromised victims to identify and block suspicious connections to Snake-compromised endpoints, among other reasons." Although Snake's code is the basis for a range of highly prolific malware including the Carbon backdoor, Kremlin hackers have not deployed Snake widely in a bid to decrease the probability of detection, the FBI also said.

Snake gains persistence on infected systems by loading a kernel driver and employing a keylogger that routinely reports back to FSB hackers, says a joint cybersecurity advisory released Tuesday by the Five Eyes intelligence alliance, comprised of Australia, Canada, New Zealand, United Kingdom and United States.

"Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets," the advisory says. "Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts."

Snake's kernel component examines inbound internet traffic to see if it contains a unique authentication code. When it does, it forwards the packets onward to another Snake node. That method of interception allows the malware to communicate without detection by ordinary intrusion detection security apps or firewalls.

Versions of Snake infect systems running Windows, as well as Linux and MacOS, and are designed to allow attackers to push modules with additional malicious capabilities onto infected endpoints. Even when victims detect the malware, it has historically been tough to eradicate.

Nevertheless, the DOJ said Snake's developers made some errors that it was able to exploit to find ways to disrupt the malware and its associated infrastructure.

Moonlit Maze,

Even if Snake operations are permanently disrupted, the group accused of wielding the Turla toolset has already secured its place in cybersecurity history, having been tied to one of the first known episodes of cyberespionage in the 1990s, dubbed Moonlit Maze by the FBI. Later, Turla was accused of building the malicious Agent.btz worm discovered in 2008, which successfully stole military secrets and helped birth U.S. Cyber Command.

"Turla is a Russian cyberespionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry," said John Hultquist, head of intelligence analysis at incident response firm Mandiant, which is part of Google.

Western intelligence officials say Snake began development as "Uroburos" in late 2003 and debuted in early 2004. They say it appears to be tied to a specific facility in Ryazan, Russia, backed by daily operations that run from about 7 a.m. to 8 p.m. local time.

Turla pursues "the classic targets of espionage - government, military and the defense sector - and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention," said Hultquist, adding that the group has become known for its continuing innovation.

Iranian Mischief

One of Turla's more innovative alleged efforts involved hijacking attack tools and command-and-control servers used by an Iranian nation-state group called OilRig - aka APT34, Crambus or Helix Kitten.

Russian-speaking attackers' use of the suborned Iranian infrastructure caused private-sector security researchers to first attribute the attacks to Iran. Later, the National Security Agency and U.K. National Cyber Security Center issued a joint alert saying that Russia had been behind a number of seeming OilRig campaigns (see: Turla Teardown: Why Attribute Nation-State Attacks?).

Turla's activities were detailed in a secret 2011 presentation by Canada's Communications Security Establishment that was leaked by ex-NSA contractor Edward Snowden in 2013.

The presentation describes the activities and infrastructure of Turla, which has the codename MAKERSMARK, as "designed by geniuses, implemented by morons." It says Turla members appeared to be using the attack infrastructure for personal browsing and that the group's development environment had been "infected by crimeware."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.