For two decades, U.S. authorities have disabled malware allegedly used by Russian spy agencies to steal sensitive documents in dozens of countries, including governments of NATO members.
A unit of Russia’s FSB has deployed nearly two decades of malware to misappropriate material from hundreds of computer systems in at least 50 countries linked to journalists and NATO members, the Justice Department said Tuesday.
“Russia used sophisticated malware to steal sensitive information from our allies and launder it through America’s infected computer networks in a cynical attempt to cover up their crimes,” U.S. Attorney for the Eastern District of New York Brian Pease Breon Peace said. a statement.
The malware, dubbed “Snake,” remains “the most sophisticated long-term cyberespionage malware implant” deployed by the concerned FSB unit, known as Turla, the DOJ said.
“Turla is a Russian cyberespionage actor and one of the oldest intrusion groups we track, having existed in some form as far back as the 1990s and focusing on the classic targets of espionage – governments, military and defense sector,” said John Hultquist, director of Google’s Mandiant Intelligence Analysis.
While some of Turla’s work came to light in a few incidents in the early 2000s, “the impact of these incidents was offset by widespread activity that went unnoticed,” he said. “Turla is very focused on operational security and stealth, and they’re constantly innovating for that.”
The global collection of infected computers created a “covert peer-to-peer network” that thwarted surveillance by adversary intelligence services, according to an affidavit filed by FBI agents. Networks also enhance the ability of computers to move large amounts of data covertly and communicate with each other. The agent added that Snake would damage devices “indefinitely,” sometimes for years, despite efforts to tackle the malware.
During its investigation into “Snake,” the FBI discovered that Turla used the malware to steal “believed to be” internal United Nations and NATO documents from a computer associated with a NATO member’s foreign ministry, according to the affidavit.
The FSB unit also allegedly used the software on the personal computer of a reporter who had covered the Russian government for an American news media company.
The FBI detailed a complex operation that first tested a technique to breach “Snake”‘s hold on a handful of computers in the United States, and then expanded it to thousands of computers around the world that may have been infected with the malware.
Nicknamed “Operation Medusa,” the FBI parodies the Uroboros theme repeated by FSB coders — an image of a snake eating its own tail — and the FBI appears to have tricked malware into confusing the FBI’s instructions with those of its operators. affidavit, or from a similarly infected host.
The commands were sent through a custom FBI program called Perseus — in Greek mythology, Perseus killed Medusa — which essentially caused the malware to self-destruct and was easily replicated on a large scale.
“We will continue to strengthen our collective defenses against the Russian regime’s destructive efforts to undermine the security of the United States and our allies,” U.S. Attorney General Merrick Garland said.
The outage comes after several coordinated actions by U.S. authorities against a Russian-linked espionage and criminal network, including the use of complex mathematics to track down the owners of bitcoin wallets that receive ransomware payments. In January, authorities infiltrated a ransomware group and provided its decryption keys to victims.
The Russian embassy in the United States did not immediately respond to a request for comment.