The US government announced on Tuesday that it has disrupted what it described as the most sophisticated cyberespionage malware used by a unit of Russia’s FSB security service to steal information from important targets.
The malware, known as Snake, has been around for nearly two decades and it has been linked to various other tools and campaigns tied to the Russian government, including Uroboros, Turla, Venomous Bear and Waterbug.
It has been used by threat actors to steal sensitive documents from hundreds of devices across at least 50 countries, according to the US government. Victims include the governments of NATO member countries, journalists, and research facilities.
The malware has now been officially linked to a unit within Center 16 of the FSB.
“The U.S. government has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia,” the US Justice Department said.
The DoJ announced on Tuesday that a court-authorized operation codenamed Medusa resulted in the disruption of a peer-to-peer (P2P) network of computers compromised by the Snake malware.
Many systems in this P2P network served as relay nodes set up to route disguised operational traffic to and from instances of the Snake malware deployed on target systems.
The FBI developed a tool named Perseus that issued commands to cause the Snake malware to disable itself by overwriting its own critical components. However, authorities warned victims that they should conduct their own analysis to find other tools that might enable hackers to regain access to their systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) and various other agencies, including Five Eyes partners, have published a detailed technical advisory containing information that can be used to detect and prevent attacks involving the Snake malware, including a recent variant.
The disruption of the malware was possible due to mistakes in development and operation, which allowed investigators to track Snake and manipulate its data.
“The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key-set created by Snake during the key exchange is too short to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems,” the advisory explained.
It added, “Also, in some instances of what appeared to be rushed deployments of Snake, the operators neglected to strip the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments.”
Related: Microsoft Announces Disruption of Russian Espionage APT
Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks
Related: Russian Turla Cyberspies Leveraged Other Hackers’ USB-Delivered Malware