The US and allied countries have disrupted a wide-ranging Russian hacking operation that spied on its adversaries over some 20 years, the justice department announced.
Law enforcement agencies penetrated a global network of computers infected with malicious software that the US said Russia’s federal intelligence service used to spy on computers in at least 50 countries, including governments belonging to Nato, the justice department said on Tuesday.
“The justice department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our Nato allies,” attorney-general Merrick Garland said in a statement.
The operations disabled the so-called Snake malware on compromised computers through the use of an FBI-created tool named Perseus, which issued commands to overwrite the malware, according to the US.
The Federal Bureau of Investigation, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, US Cyber Command, and six other intelligence and cybersecurity agencies from allied governments issued a joint advisory on Tuesday with technical information about the Snake malware to help cybersecurity professionals detect and remediate the malware on their networks.
The FBI attributed the Snake espionage malware implant to Turla, an elite Russian hacking unit that spends extensive amounts of time profiling victims, often using USB sticks to spread malware, according to cybersecurity company Mandiant, a unit of Google Cloud.
Mandiant said in a January report that it had recently observed suspected Turla activities in Ukraine for the first time since Russia’s invasion of Ukraine.
‘Under the radar’
John Hultquist, who runs threat intelligence at Mandiant, said the Turla group has successfully gone after high-value intelligence targets for decades, including a spying campaign against the US defence department that helped launch US Cyber Command as a response to prodigious hacks.
“They have mostly stayed under the radar; they avoid the limelight at all costs,” Hultquist said, adding that the group has historically been very careful to obscure its operations and that its operations have rarely come to light. “They carry out highly sophisticated instructions that are designed to go unnoticed.”
The FBI, which said it has investigated Turla for more than a decade, obtained a court search warrant that authorised remote access to the compromised computers.
They have mostly stayed under the radar; they avoid the limelight at all costs. They carry out highly sophisticated instructions that are designed to go unnoticed
The FBI said in a statement it has provided notice of the court-authorised operation to all owners or operators of the computers remotely accessed as a result of the search warrant.
In an unrelated action, the justice department announced in 2021 it had undertaken a court-authorised operation to copy and remove malicious code from hundreds of vulnerable computers in the US.
“That approach is fairly controversial but these are difficult problems and the solutions have to be creative,” said Hultquist. “These are not run-of-the-mill threats.” — Chris Strohm and Katrina Manson, with Patricia Hurtado, (c) 2023 Bloomberg LP
