[German]The U.S. Department of Justice and the FBI have announced that they have disabled the Snake spyware. This spy software was abused by the Russian secret service to infect computer systems and use them for spying. Over the past 20 years, the Russian secret service FSB has used the software to spy on numerous public agencies, research institutions and media outlets.
Advertising
Snake is a malware that was developed and used by the Russian secret service FSB to infect computer systems in over 50 countries and then abuse them for spying purposes. It is said that the FSB or the "Turla" group started developing the spy software as early as 2003 and spied on the U.S. and other NATO countries for 20 years using the software called "Snake."
That's over now, according to this statement from the National Security Agency (NSA). U.S. agencies and allies, working together, have succeeded in identifying the Russian Snake malware infrastructure used around the world – in more than 50 countries. The agencies, which include NSA, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Cyber National Mission Force (CNMF), the Canadian Cyber Security Centre (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ), trace the Snake operations to a known entity (Turla) within Center 16 of the Russian Federal Security Service (FSB).
The international coalition named above has identified Snake malware infrastructure throughout North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Typically, the Snake malware is deployed on outward-facing infrastructure nodes on a network. From there, it uses other tools and techniques, tactics and procedures (TTPs) on the internal network to conduct further attacks.
Malicious cyber actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications through a victim in a North Atlantic Treaty Organization (NATO) country. In the United States, the FSB has attacked educational institutions, small businesses, and media organizations, among others. Critical infrastructure such as local governments, finance, manufacturing, and telecommunications have also been affected.
Advertising
The cooperating authorities managed to eliminate the Snake malware with the help of a special tool as part of Operation Medusa. For this purpose, the malware on the victims' systems was made to load an update, which the malware uses to destroy itself. The FBI obtained a court order to be able to perform this shutdown of the malware.
"Russian government actors have used this tool for intelligence purposes for years," said Rob Joyce, NSA director of cybersecurity. "The Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware around the world." A comprehensive description of the Snake malware can be found in this 48-page PDF document.
The Snake spy network has been shut down by this action. But the infected computer systems are probably vulnerable to vulnerabilities and would have to be secured against such attacks by the responsible users. However, the Russian actors of the FSB or Turla groups will probably remain active and simply think of new ways to infect the victims. Darkreading has this article on the subject.
The FBI also seized 13 DDoS sites, disrupting the infrastructure in question. The colleagues at Bleeping Computer have reported in this article. This seizure is now already having an impact, as the above tweet illustrates. Several pro-Russian hacktivist groups report that the FBI operation to take down botnets is having an impact on their operations.
