Security news that informs and inspires

FBI Disrupts Turla Espionage Malware Network


The U.S. government on Tuesday announced that it has dismantled a global network of computers infected by the decades-old Snake malware, which is considered the most sophisticated cyber espionage tool in the Federal Security Service of the Russian Federation’s (FSB) arsenal.

The U.S. government has attributed the Snake malware to the well-known and prolific Turla APT group, which has used the tool to steal sensitive data from government networks, research facilities and journalists in at least 50 countries. The Department of Justice (DoJ) said on Monday it received court approval for a search warrant, issued by United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York, which authorized the FBI to obtain remote access to a global peer-to-peer network of computers compromised by the Snake malware. The FBI then created a tool called Perseus in order to issue commands that caused the Snake malware to overwrite its own components on those compromised devices.

“Generally, this is a hit for Turla: It won’t make them go away but it will force them to do a lot of retooling,” said Nick Biasini, head of outreach with Cisco Talos. “Snake has been around for a really, really long time, and I don’t think this is necessarily going to kill it, but it will force them to make some changes. The biggest impact is that they’ve lost whatever footing they had inside of targeted networks that they’ve already been able to compromise.”

Turla has been linked to high-profile and sophisticated attacks for decades, with many of these - including Moonlight Maze and Agent.BTZ - hitting U.S. agency and military networks. These operations were carried out for years before security researchers identified Turla in 2014 and began to detail its operations and toolsets, including the Snake malware, which is known for its stealthiness and its technical architecture that allows it to easily run on different operating systems and incorporate new components. The latter feature has enabled the threat actors to quickly make changes to Snake when security researchers have exposed its technical capabilities, and several variants of the malware exist.

In order to protect against detection, Turla operators also built up a peer-to-peer network of Snake-compromised computers. The network used customized communication protocols in order to route exfiltrated data across numerous relay nodes scattered around the world, and then back to Turla operators in Russia.

Despite Turla’s sophistication, the humans behind the APT make mistakes sometimes, and these errors gave the FBI a critical leg up in its operation. The U.S. government said it has been investigating Snake for almost two decades by monitoring FSB officers assigned to Turla that were conducting daily operations using the malware from a known FSB facility in Ryazan, Russia. After analyzing the malware and its network, the FBI was able to detect several flaws in its development and operation - for instance, rushed deployments of the malware that didn’t strip the binary - that led to various exposed function names, cleartext strings and developer comments. These errors allowed the agency to decrypt and decode the malware’s communications and gave a rare look into its inner workings.

“The biggest impact is that they’ve lost whatever footing they had inside of targeted networks that they’ve already been able to compromise.”

The agency was then able to develop the Perseus tool, which allowed it to create communication sessions with Snake-infected computers and then issue commands to cause the Snake implant to disable itself “without affecting the host computer or legitimate applications on the computer.” The FBI's approach here - gaining this type of remote access via a warrant - has previously been used by the agency in similar dismantling efforts. In April 2021, for example, an approved warrant allowed the agency to send remote commands to compromised Microsoft Exchange servers that copied, and then deleted, malicious webshells installed on the machines by attackers.

In conjunction with the announcement of the disruption, which the FBI calls Operation Medusa, U.S. agencies and six international partners (from the Five Eyes member nations) released a joint cybersecurity advisory exposing technical details about Snake, including the latest variant of the malware that has not been widely reported. The hope in publicizing these technical aspects of Snake is that cybersecurity teams will be able to detect and remediate the malware if it is on their networks, said the DoJ. The FBI also said it is also engaging with local authorities to notify victims outside of the U.S. and give them remediation guidance.

Still, security researchers stress that Operation Medusa will not permanently put an end to Turla’s operations, and John Hultquist, head of Mandiant Intelligence Analysis with Google Cloud, said “the effects of this operation will be temporary.”

“Turla will get its house in order and come back,” said Hultquist. “They have been around for a very long time, but disruptions during wartime can have major consequences.”

Not only is the Snake malware extremely stealthy, but it’s also known to be persistent in its targeting, with attackers often re-infecting victims despite their efforts to remediate the compromise. The DoJ warned that Turla frequently deploys a keylogger allowing Turla to steal account credentials, and Cisco Talos’ Biasini said that Turla has a variety of mechanisms in order to re-establish communications, including a backdoor called TinyTurla that Talos researchers discovered in 2021.

“They don’t tend to have only one access mechanism into a network, they’re going to drop things like TinyTurla that will be very lightweight backdoors [and give] the ability for them to try to re-establish communications,” said Biasini. “It eliminates the malware but it doesn’t eliminate the issues that allowed the malware to get installed on the system, so they would theoretically be able to get back in, and it is unlikely that that’s their only access mechanism.”