The US Justice Department said Tuesday that it had disabled a “sophisticated” malware network used by Russia’s FSB intelligence agency for two decades to spy in 50 countries including a NATO ally.
The FSB had successfully inserted the “Snake” or “Uroburos” malware on computer systems around the world, focused on government networks, research facilities, journalists and other targets, according to US officials.
Computers in the system also served as relay nodes to disguise traffic to and from Snake malware inserted on target computer systems, they said.
In a years-long operation, the FBI was able to defeat Snake by inserting its own bit of computer code into it, which issued commands causing the malware to overwrite itself, the Justice Department said.
“Through a high-tech operation that turned Russian malware against itself, US law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” said Deputy Attorney General Lisa Monaco.
The malware has been known by computer security experts for at least a decade, and CISA, the US cyber defense agency, said the FSB began developing it in 2003.
CISA called Snake “the most sophisticated cyber espionage tool in the FSB’s arsenal,” noting that it was particularly stealthy, extremely hard to detect in computer systems and network traffic.
In addition, it was designed for easy updating and modification, and yet had “surprisingly few bugs given its complexity,” CISA said.
Those aspects allowed the FSB to work undetected for years through sprawling host networks to get into computers with sensitive documents.
At least in one case Snake was placed on the systems of an unnamed NATO country, allowing Russian intelligence to access and exfiltrate sensitive international relations documents and diplomatic communications, CISA said.
“The effectiveness of this type of cyber espionage implant depends entirely on its long-term stealth,” the agency said.
Previous official and news reports have indicated that Snake and related software has been found on government systems in Germany, Belgium, Ukraine and Switzerland.
CISA said US investigators had traced the malware’s development to an FSB unit known as Center 16 operating out of Ryazan, Russia, and its operation from an office the unit has in Moscow.
CISA said it and cyber experts in allies have been investigating the unit and its hacking tools — more broadly known as the Turla toolset — for almost 20 years.
The FSB has adapted it for use in Windows, MacOS, and Linux operating systems, and even when it was exposed as a threat by computer security firms, the Russians were able to modify it to keep it hidden and functional.
But Snake’s sophistication led to errors in using it by less skillful FSB operators, which allowed Western investigators to permeate its inner workings and track the malware, CISA said.
The Justice Department said the FBI developed a tool dubbed Perseus, that rendered the Russian malware ineffective.
Perseus “establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer,” the department said.
Despite the success the Perseus implant, Snake malware is still a threat, according to a joint advisory issued Tuesday from cyber authorities in the United States, Canada, Britain, Australia and New Zealand.