Feds Dismember Russia's 'Snake' Cyberespionage OperationOperation Medusa: FBI Tool Instructs Turla Group's Malware to Self-Destruct
Federal prosecutors said Tuesday that they had disrupted a Russian intelligence cyberespionage operation by targeting malware used by Kremlin hackers to steal classified and sensitive information. The disruption occurred through the remote deployment of an FBI tool dubbed Perseus that issued commands causing the malware, known as Snake, to overwrite itself.
A U.S. District Court judge issued a search and seizure order Thursday authorizing the FBI to use the tool to target eight U.S. systems infected by Snake as part of an effort the Department of Justice dubbed "Medusa." In Greek mythology, Perseus slayed the Gorgon Medusa after being tricked into the quest by his would-be father-in-law.
The FBI in a sworn statement tied the malware to a unit of Russia's Federal Security Service also known as Turla, a group also dubbed "Krypton," "Venomous Bear" and "Waterbug" by security researchers.
Turla regularly targets both government agencies and the private sector, and is known to have stolen documents from hundreds of systems worldwide. Its victims include NATO governments, journalists and others of interest to Moscow.
Michael J. Driscoll, assistant director in charge of the FBI's New York field office, described Snake as the Russian government's "foremost cyberespionage tool."
Most Snake infections use the host computer as a routing point in a peer-to-peer network used by Russian state hackers, the FBI said, "to make it more difficult for compromised victims to identify and block suspicious connections to Snake-compromised endpoints, among other reasons." Although Snake's code is the basis for a range of highly prolific malware including the Carbon backdoor, Kremlin hackers have not deployed Snake widely in a bid to decrease the probability of detection, the FBI also said.
Snake gains persistence on infected systems by loading a kernel driver and employing a keylogger that routinely reports back to FSB hackers, says a joint cybersecurity advisory released Tuesday by the Five Eyes intelligence alliance, comprised of Australia, Canada, New Zealand, United Kingdom and United States.
"Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets," the advisory says. "Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts."
Snake's kernel component examines inbound internet traffic to see if it contains a unique authentication code. When it does, it forwards the packets onward to another Snake node. That method of interception allows the malware to communicate without detection by ordinary intrusion detection security apps or firewalls.
Versions of Snake infect systems running Windows, as well as Linux and MacOS, and are designed to allow attackers to push modules with additional malicious capabilities onto infected endpoints. Even when victims detect the malware, it has historically been tough to eradicate.
Nevertheless, the DOJ said Snake's developers made some errors that it was able to exploit to find ways to disrupt the malware and its associated infrastructure.
Moonlit Maze, Agent.biz
Even if Snake operations are permanently disrupted, the group accused of wielding the Turla toolset has already secured its place in cybersecurity history, having been tied to one of the first known episodes of cyberespionage in the 1990s, dubbed Moonlit Maze by the FBI. Later, Turla was accused of building the malicious Agent.btz worm discovered in 2008, which successfully stole military secrets and helped birth U.S. Cyber Command.
"Turla is a Russian cyberespionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry," said John Hultquist, head of intelligence analysis at incident response firm Mandiant, which is part of Google.
Western intelligence officials say Snake began development as "Uroburos" in late 2003 and debuted in early 2004. They say it appears to be tied to a specific facility in Ryazan, Russia, backed by daily operations that run from about 7 a.m. to 8 p.m. local time.
Turla pursues "the classic targets of espionage - government, military and the defense sector - and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention," said Hultquist, adding that the group has become known for its continuing innovation.
One of Turla's more innovative alleged efforts involved hijacking attack tools and command-and-control servers used by an Iranian nation-state group called OilRig - aka APT34, Crambus or Helix Kitten.
Russian-speaking attackers' use of the suborned Iranian infrastructure caused private-sector security researchers to first attribute the attacks to Iran. Later, the National Security Agency and U.K. National Cyber Security Center issued a joint alert saying that Russia had been behind a number of seeming OilRig campaigns (see: Turla Teardown: Why Attribute Nation-State Attacks?).
Turla's activities were detailed in a secret 2011 presentation by Canada's Communications Security Establishment that was leaked by ex-NSA contractor Edward Snowden in 2013.
The presentation describes the activities and infrastructure of Turla, which has the codename MAKERSMARK, as "designed by geniuses, implemented by morons." It says Turla members appeared to be using the attack infrastructure for personal browsing and that the group's development environment had been "infected by crimeware."