This is no longer surprising, the games of influence are also played out on the technological side. The United States announced on Tuesday, May 9, that it had neutralized one of the “most sophisticated” Russian spyware programs, which have been the source of numerous attacks against NATO member countries over the past twenty years. This software, called “Snake”, has enabled the Russian security services (FSB) to “steal hundreds of sensitive documents in at least fifty countries”, attacking in particular the IT services of governments, the media or research centers, according to a statement from the US Department of Justice.
“Thanks to a high-tech operation, which turned this Russian malware against itself, American law enforcement agencies have neutralized one of the most sophisticated Russian cyber-espionage tools”, welcomed the Deputy Justice Minister Lisa Monaco. The spyware was put out of harm’s way during Operation Medusa led by the FBI, in coordination with foreign partners, said US Attorney General Merrick Garland. “We will continue to strengthen our collective defenses against the destabilization efforts of the Russian regime,” he promised.
Software guided by the FSB
According to US authorities, the software was guided from an FSB unit called “Turla”, located in Ryazan, Russia. Snake could identify and steal documents and remain undetected indefinitely. Its specificity: the agents of “Turla” exfiltrated this data using the global network of infected computers. It represented a kind of digital espionage Swiss army knife, giving Russian spies clandestine access to victims’ computers, allowing these devices to secretly communicate with each other, and acting as a jumping-off point for further activity by Kremlin spies.” presents the American media Politico.
Incidentally, the software is also known as “Uroboros”. The name is apt, as the FSB put it through almost constant stages of upgrading and refitting, even after public disclosures, instead of abandoning it according to The US Cyber Defense Agency (Cisa). In other words, it has been the subject of many updates over time. The Russian software was difficult to remove from infected computer systems, officials said. In 2018, the German Foreign Ministry revealed that it had been the subject of an unprecedented attack attributed by the media to the “Snake” software. It is a “technically ambitious and long-prepared attack”, had hammered at the time the German Minister of the Interior, Thomas de Maizière.
A complex tool
Victims have also been identified in Belgium, Ukraine, the United States, Switzerland or Georgia. Note that Russian spies did not use Snake to stage physical attacks, according to US officials. “Snake” had been known to cybersecurity experts for at least ten years. The American cyber defense agency Cisa places its date of creation around 2003. It is “the most sophisticated cyber-espionage tool in the arsenal of the FSB”, also estimates the cisa in a document published with its British, Canadian and Australian counterparts, emphasizing the stealth nature of the software. “It surprisingly has very few computer bugs, which is surprising given its complexity,” these agencies also note.
The CISA report states that Snake was designed in a way to allow its operators to easily integrate new or upgraded components, and worked on computers running Windows, Macintosh and Linux operating systems. A design that would facilitate “development and interoperability of instances, Snake running on different host operating systems.” After studying this software for many years, the American federal police succeeded in creating a tool, called “Perseus”, capable of communicating with “Snake” and ordering it to shut down without involving the host computer.
US-led Operation Medusa was risky. In an unsealed 33-page court filing from a Brooklyn federal judge, cybersecurity officer Taylor Forry explained how the operation unfolded, testimony quoted in the US daily. New York Times “If Turla became aware of Operation Medusa prior to its successful execution, Turla could have used the Snake malware on affected computers and other Snake-compromised systems around the world to monitor the operation’s execution in order to to learn how the FBI and other governments were able to disable the software and bolster Snake’s defenses.”