In a Joint Operation, US Department of Justice Targets Russian FSB-Run Malware Operation
The US DOJ has revealed a multinational joint operation that successfully took down an advanced malware operation run by the FSB
Unsplash
The US Department of Justice has revealed a multinational joint operation, code-named Medusa, that successfully took down an advanced malware operation run by the Federal Security Service of the Russian Federation (FSB).
The malware, known as "Snake" and developed by Center 16 of the FSB, is considered the most sophisticated cyber espionage tool for long-term intelligence collection on sensitive targets.
The threat actor group is also commonly referred to as "Turla."
Three factors contribute to the sophistication of Snake malware: its ability to remain undetected in host components and network communications, an internal technical architecture that enables easy integration of new or replacement components, and high-quality software engineering design and implementation.
Given its size and complexity, Snake malware represents a significant programming achievement.
Snake infrastructure has been discovered in over 50 countries across six continents, targeting industries such as education, small businesses, and media organizations.
Additionally, it has been deployed against critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications.
Over its nearly 20-year evolution, the FSB has used Snake malware in various forms to access and exfiltrate sensitive international correspondence from a victim in a NATO country and to compromise industries within the United States.
US authorities have been investigating Snake malware for almost two decades and have closely monitored Turla's activities from an FSB facility in Ryzan, Russia.
As part of Operation Medusa, the FBI developed a tool called Perseus, which was able to command components of the Snake malware to overwrite itself on compromised systems.
This tool was utilized to disrupt a global peer-to-peer network of computers infected by Snake malware.
Earlier this year, Mandiant observed Turla using command-and-control servers from decade-old Andromeda malware to target and spy on Ukrainian systems.
Other Russian threat groups have also been found employing the well-designed Snake malware.
Experts expect Turla to modify the Snake malware framework to overcome defensive and detection strategies, ensuring its espionage operations continue to be effective in the future.