WASHINGTON — The United States and its allies have dismantled a major cyber-espionage system that Russian intelligence said it had used for years to spy on computers around the world, the Justice Department announced Tuesday.
In a separate report, the Cybersecurity and Infrastructure Security Agency portrayed the system, known as the “Snake” malware network, as “the most sophisticated cyber-espionage tool” in the Federal Security Service’s arsenal, which it has used to target sensitive targets, including the government to monitor. networks, research facilities and journalists.
The Federal Security Service, or FSB, had used Snake to access and steal international relations documents and other diplomatic communications from a NATO country, the CISA said. countries and within a range of US institutions. Those include “education, small business and media organizations, as well as critical infrastructure sectors, including government facilities, financial services, critical manufacturing and communications.”
Top Justice Department officials hailed the apparent demise of the malware.
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, which has been used for two decades to further Russia’s authoritarian aims,” said Lisa O. Monaco, the deputy attorney general in a statement.
In a recently unsealed 33-page court file from a federal judge in Brooklyn, a cybersecurity agent named Taylor Forry explained how the effort, dubbed Operation Medusa, would take place.
The Snake system, the court documents said, operated as a “peer-to-peer” network connecting infected computers around the world. Taking advantage of this, the FBI planned to infiltrate the system using an infected computer in the United States, overwriting the code on each infected computer to “permanently disable” the network.
The US government had been scrutinizing Snake-related malware for nearly two decades, according to court filings, which stated that a unit of the FSB known as Turla had been operating the network from Ryazan, Russia.
While cybersecurity experts have identified and described the Snake network over the years, Turla kept it operational through upgrades and revisions.
The malware was difficult to remove from infected computer systems, officials said, and the secret peer-to-peer network sliced and encrypted stolen data as it was surreptitiously routed through “numerous relay nodes scattered around the world back to Turla operators in Russia” in a way that was difficult to detect.
The CISA report said Snake was designed to allow operators to easily integrate new or upgraded components, and it ran on computers running Windows, Macintosh, and Linux operating systems.
The court documents also sought to delay informing people whose computers would be used during the operation, saying it was imperative to coordinate Snake’s dismantling so the Russians could not thwart or mitigate it.
“If Turla found out about Operation Medusa before it was successfully executed, Turla could use the Snake malware on affected computers and other Snake-affected systems around the world to track the operation’s execution to find out find out how the FBI and other governments were able to disable the Snake malware and bolster Snake’s defenses,” Special Agent Forry added.