Skip to content

Illustration by Security Management; iStock

Perseus vs. the Malware: FBI Disrupts Cyberespionage Tool

A serpentine cyberespionage campaign has been disrupted at last. Along with many international partners, the FBI hacked and disrupted one of the Russian government’s sophisticated, long-running cyberespionage efforts, targeting a nearly 20-year-old malware known as “Snake.” This malware has been used for decades by Turla, a unit within the Russia’s Federal Security Service (FSB), to steal sensitive documents from computer systems in at least 50 countries, the U.S. Department of Justice (DOJ) said in a statement.

The court-authorized operation, code-named MEDUSA, remotely accessed the global network of computers compromised by Snake. The malware had infected NATO-member governments, journalists, research facilities, and other targets of interest to the Russian Federation to steal documents, the DOJ said. The stolen information was then laundered through the network of infected computers to cover the malicious actors’ tracks.

The FSB used Snake to victimize industries including education, small businesses, media organizations, and critical infrastructure, such as government facilities, financial services, critical manufacturing, and communications in the United States.

According to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “We consider Snake to be the most sophisticated cyber espionage tool in the FSB’s arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.”

“Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components,” according to the DOJ. (As a bit of unexpected whimsical context, the code-names and tools for the operation reference the Greek myth of Perseus battling the snake-haired Gorgon named Medusa.)

Federal officials said they were confident that this week’s operation meant that the FSB would not be able to reconstitute the malware, the Associated Press reported.

“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” said U.S. Deputy Attorney General Lisa O. Monaco. “By combining this action with the release of the information victims need to protect themselves, the Justice Department continues to put victims at the center of our cybercrime work and take the fight to malicious cyber actors.”

Snake has been a persistent threat because Turla kept the malware updated to avoid remediation, which kept it on victims’ computers for years, according to the DOJ. As part of yesterday’s announcement, the FBI, the U.S. National Security Agency, CISA, the U.S. Cyber Command Cyber National Mission Force, and six other intelligence and cybersecurity agencies from each of the Five Eyes member nations (Australia, Canada, New Zealand, United Kingdom, United States) issued a joint advisory about Snake to help “cybersecurity professionals to detect and remediate Snake malware infections on their networks,” the DOJ said.

Russia routinely denies carrying out cyberespionage campaigns, and Russian diplomats did not comment to Reuters about the allegations.