Kremlin-linked ‘Snake’ espionage malware eliminated, Justice Department says

U.S. and international authorities on Tuesday announced they had successfully dismantled a malware implant utilized for two decades by a notorious Kremlin-backed hacking group.

The Justice Department said it obtained court authorization on Monday that allowed U.S. law enforcement to wipe out the malicious code, dubbed “Snake,” which was used by Turla, a group long affiliated with the Russian Federal Security Service (FSB). Investigators tracked the group’s activities to an FSB facility in Ryazan, Russia.

“We assess this to be their premier espionage tool,” a senior FBI official told reporters during a conference call Tuesday, noting it had been deployed against NATO countries and others with the goal of pilfering sensitive U.S. information.

“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies — that ends today,” Assistant Attorney General Matthew Olsen, the head of the DOJ’s National Security Division, said in a statement.

The effort, called “Operation Medusa,” has ostensibly robbed the Russian group of a tool it has relied upon “to compromise hundreds of computers in at least 50 countries worldwide,” according to an affidavit released with the announcement.

“Our ability to take it down, and then publicly provide network defenders with the ability to now defend their networks against it, we believe makes it untenable for the FSB to reconstitute after this operation,” the FBI official said.

The FBI was able to identify 19 internet protocol (IP) addresses associated with computers in the U.S. that were infected, though the official declined to say exactly how many U.S.-based computers were compromised. Snake was “up and active” as of Monday, the official said.

Once law enforcement received the legal green light on Monday, the FBI deployed a specially crafted tool of its own, called “Perseus,” that allowed the agency to send commands back to the malware, which has undergone multiple iterations since its introduction in 2004. The move caused Snake to override its core components and then self-destruct. In Greek mythology, Perseus slayed the snake-haired Medusa.

DOJ relied on a special seizure warrant, known as a Rule 41 procedure, to remove the Russian malware from U.S. victim computers, something it has done twice in the past: to disrupt the China-linked Hafnium espionage campaign and to destroy Cyclops Blink, a botnet controlled by Russian intelligence.

The U.S. and its allies issued a lengthy cybersecurity advisory that detailed how Snake works and how to mitigate it.

“These technical details will help industry governments find and shut down the malware globally,” Rob Joyce, director of cybersecurity at the National Security Agency, tweeted.

John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud, tweeted that Turla hackers “operate low and slow and they always seem to be in the background grinding away.”

“This disruption will be temporary, but there's a war on, and there's never a better time to disrupt the enemy's intelligence apparatus then when they are trying to make better decisions to get off the back foot.”

Updated 5/9/23 at 2:25 p.m.: Adds more details from U.S. government documents.