Connect with us

Hi, what are you looking for?



US Disrupts Russia’s Sophisticated ‘Snake’ Cyberespionage Malware 

The US government has announced the disruption of Snake, a sophisticated cyberespionage malware officially attributed to a unit of Russia’s FSB agency.

Russia's Snake malware disrupted by US

The US government announced on Tuesday that it has disrupted what it described as the most sophisticated cyberespionage malware used by a unit of Russia’s FSB security service to steal information from important targets. 

The malware, known as Snake, has been around for nearly two decades and it has been linked to various other tools and campaigns tied to the Russian government, including Uroboros, Turla, Venomous Bear and Waterbug. 

It has been used by threat actors to steal sensitive documents from hundreds of devices across at least 50 countries, according to the US government. Victims include the governments of NATO member countries, journalists, and research facilities. 

The malware has now been officially linked to a unit within Center 16 of the FSB.  

“The U.S. government has monitored FSB officers assigned to Turla conducting daily operations using Snake from a known FSB facility in Ryazan, Russia,” the US Justice Department said.

The DoJ announced on Tuesday that a court-authorized operation codenamed Medusa resulted in the disruption of a peer-to-peer (P2P) network of computers compromised by the Snake malware. 

Many systems in this P2P network served as relay nodes set up to route disguised operational traffic to and from instances of the Snake malware deployed on target systems. 

Advertisement. Scroll to continue reading.

The FBI developed a tool named Perseus that issued commands to cause the Snake malware to disable itself by overwriting its own critical components. However, authorities warned victims that they should conduct their own analysis to find other tools that might enable hackers to regain access to their systems. 

The US Cybersecurity and Infrastructure Security Agency (CISA) and various other agencies, including Five Eyes partners, have published a detailed technical advisory containing information that can be used to detect and prevent attacks involving the Snake malware, including a recent variant. 

The disruption of the malware was possible due to mistakes in development and operation, which allowed investigators to track Snake and manipulate its data. 

“The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key-set created by Snake during the key exchange is too short to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems,” the advisory explained. 

It added, “Also, in some instances of what appeared to be rushed deployments of Snake, the operators neglected to strip the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments.”

Related: Microsoft Announces Disruption of Russian Espionage APT

Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks

Related: Russian Turla Cyberspies Leveraged Other Hackers’ USB-Delivered Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...