The Snake implant is considered the most sophisticated cyber espionage tool to have been designed and used by Center 16 of Russia’s Federal Security Service (FSB). It is used for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide.
Through Operation MEDUSA, the FBI identified 19 IP addresses linked to infected computers in the United States. The FBI figured out how to decrypt and decode Snake communications, enabling them to develop their own tool—Perseus—that would issue commands that causes Snake to disable itself without impacting the host computer. These names take their origin from Greek mythology, where Perseus slayed Medusa with her hair made from snakes.
Following the takedown of the malware, Deputy Attorney General Monaco stated:
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives.”
As detailed in court documents, the U.S. government has been investigating Snake malware tools for nearly 20 years. The efforts to disrupt the Snake malware network were led by the FBI’s New York Field Office, FBI’s Cyber Division, the U.S. Attorney’s Office for the Eastern District of New York, and the National Security Division’s Counterintelligence and Export Control Section. This U.S. intelligence community has been monitoring FSB officers assigned to Turla who were conducting daily operations using Snake. Their location was a known FSB facility in Ryazan, Russia.
The Cybersecurity and Infrastructure Security Agency (CISA) reported that they identified Snake infrastructure in over 50 countries across North and South America, Europe, Africa, Asia, and Australia, including the United States and Russia too. Their analysis is that the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organisation (NATO) country. Within the United States, the FSB has victimised industries including education, small businesses, and media organisations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.
It should be noted that state-backed actors such as Turla have significant talent and financial support. This will likely mean that a new malware will emerge or even Snake itself may re-emerge in the near future.
Global law enforcement issued a detailed cybersecurity advisory that detailed how Snake works.