Critical Infrastructure Security, Threat Management, Malware

US, partners dismantle malware network used in 20-year Russian spy campaign

U.S. Attorney General Merrick Garland, right, and FBI Director Christopher Wray hold a press conference on the REvil ransomware attacks. (Photo by Chip Somodevilla/Getty Images)

The Department of Justice announced May 9 that the FBI and law enforcement partners around the world have hacked and disrupted a malware-compromised peer-to-peer network used by “Turla,” an espionage-minded hacking group tied to the Federal Security Service (FSB) of the Russian government.

Different variants of the malware — which the U.S. government calls "Snake" — were used by Russian hackers to compromise systems and pilfer data from hundreds of computers across 50 countries over the past two decades, including the United States.

The federal and law enforcement operation included the FBI obtaining a court order from the Eastern District of New York to use a hacking tool called PERSEUS, which is designed to send out commands that forced Snake malware to overwrite itself on infected devices.

The action was revealed after the government partially unsealed parts of the search warrant used to seize and examine a number of Snake-infected devices. In a statement, Attorney General Merrick Garland said the operation has “dismantled” the espionage campaign that officials said was ongoing for more than 20 years.

“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Garland. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”

The malware implant is designed to persist on a victim system “indefinitely,” and the FBI said it observed numerous instances where victims were unable to remove the infection, even after remediation. The bureau is contacting local governments and law enforcement agencies in other countries to notify affected victims and offer guidance on how to remove the implant.

According to a parallel cybersecurity advisory released the same day by agencies in the U.S., UK, Canada and Australia, the Snake implant is used by Center 16, a unit within the FSB specifically to conduct “long-term intelligence collection on sensitive targets.” Such targets include government networks, NATO, research facilities and journalists, and the tool has been used in dozens of countries on nearly continent around the world.

“Within the United States, the FSB has victimized industries, including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications,” the advisory states.

John Hultquist, head of Mandiant Threat Intelligence at Google Cloud, called Turla "one of the oldest intrusion groups we track" with a record of espionage-minded hacking campaigns that date back to at least the 1990s.

Hultquist highlighted a number of incidents carried out by the group that have become public, such as the Agent.BTZ campaign — a computer worm that used USB flash drives to infect classified and unclassified networks at U.S. Central Command — and Moonlight Maze — an espionage campaign that spanned the 1990s and compromised the networks of the Department of Defense, NASA, the Department of Energy, defense contractors and other parties.

Turla heavily invested in operational security and Hultquist said those incidents are dwarfed by "a breadth of activity that goes unnoticed."

"They are focused on the classic targets of espionage: government, military and the defense sector; and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention to themselves," he said in a statement.

The coordinated campaign to disrupt the network marks the latest example of efforts by U.S. and international law enforcement to target and dismantle the tools and infrastructure used by state and criminal hacking groups — through court orders, raids and, at times, hacking back — and is a goal that has become increasingly important to policymakers as they look to affect hacking operations when more traditional arrests and indictments aren't realistic.

Over the past two years, the Department of Justice has overseen seizures and takedowns of infrastructure used by the Hive ransomware group and other criminal operations, while also using court orders to delete web shells set up and exploited by Chinese hackers and other parties in Microsoft Exchange servers in 2021.

The action was announced a day after the Justice Department revealed it seized more than a dozen "booter" services used by criminal distributed-denial-of-service operations.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.