How one of Vladimir Putin's most prized hacking units got pwned by the FBI
FBI officials on Tuesday dropped a major bombshell: After spending years monitoring exceptionally stealthy malware that one of the Kremlin's most advanced hacker units had installed on hundreds of computers around the world, agents unloaded a payload that caused the malware to disable itself.
The counter hack took aim at Snake, the name of a sprawling piece of cross-platform malware that for more than two decades has been in use for espionage and sabotage. Snake is developed and operated by Turla, one of the world's most sophisticated APTs, short for advanced persistent threats, a term for long-running hacking outfits sponsored by nation states.
If nation-sponsored hacking was baseball, then Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of the US Department of Defense in 2008, and more recently the German Foreign Office and France's military. The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.
One of the most powerful tools in Turla's arsenal is Snake, a digital Swiss Army knife of sorts that runs on Windows, macOS, and Linux. Written in the C programming language, Snake comes as a highly modular series of pieces that are built on top of a massive peer-to-peer network that covertly links one infected computer with another. Snake, the FBI said, has to date spread to more than 50 countries and infected computers belonging to NATO member governments, a US journalist who has covered Russia, and sectors involving critical infrastructure, communications, and education.
A short list of Snake capabilities includes a backdoor that allows Turla to install or uninstall malware on infected computers, send commands, and exfiltrate data of interest to the Kremlin.
[...]
The court documents provide an intriguing but ultimately incomplete account of how the counterhack against Turla worked. A joint cybersecurity advisory issued by law enforcement agencies around the world provided a few additional details.
How the US Dismantled a Malware Network Used by Russian Spies to Steal Government Secrets
The FBI tracked the cyber-espionage malware for close to two decades:
[...] The DOJ and its global partners identified the Snake malware in hundreds of computer systems in at least 50 countries. Prosecutors said the Russian spies behind the Turla group used the malware to target NATO member states — and other targets of the Russian government — as far back as 2004.
In the United States, the FSB used its sprawling network of Snake-infected computers to target industries including education, small businesses and media organizations, along with critical infrastructure sectors including government facilities, financial services, manufacturing and communications. The FBI said it obtained information indicating that Turla had also used Snake malware to target the personal computer of a journalist at an unnamed U.S. news media company who had reported on the Russian government.
Prosecutors added that Snake persists on a compromised computer's system "indefinitely," despite efforts by the victim to neutralize the infection.
After stealing sensitive documents, Turla exfiltrated this information through a covert peer-to-peer network of Snake-compromised computers in the U.S. and other countries, the DOJ said, making the network's presence harder to detect.
[...] The FBI said it developed a tool called "Perseus" — the Greek hero who slayed monsters — that allowed its agents to identify network traffic that the Snake malware had tried to obfuscate.
Between 2016 and 2022, FBI officials identified the IP addresses of eight compromised computers in the U.S., located in California, Georgia, Connecticut, New York, Oregon, South Carolina and Maryland. (The FBI said it also alerted local authorities to take down Snake infections on compromised machines located outside of the United States.)
With the victim's consent, the FBI obtained remote access to some of the compromised machines and monitored each for "years at a time." This allowed the FBI to identify other victims in the Snake network, and to develop capabilities to impersonate the Turla operators and issue commands to the Snake malware as if the FBI agents were the Russian hackers.
Then this week, after obtaining a search warrant from a federal judge in Brooklyn, New York, the FBI was given the green light to mass-command the network to shut down.
(Score: 2, Troll) by Freeman on Friday May 12, @04:49PM
I mean, generally, they're more likely to get the work done. Unless they're on that Cost+ incentive plan.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Interesting) by shrewdsheep on Friday May 12, @04:55PM
De-infecting the machines is only snake oil if they do not patch up the security holes. Or did snake already prevent parallel infection? If I investigate hosts trying to log into my home server via ssh on shodan, many show vulnerabilities. This indicates that it is quite trivial to build up a botnet and a new snake variant will be there in short order.
(Score: 5, Informative) by namefags_are_jerks on Friday May 12, @05:10PM
The writeup of Snake's architecture by the Australian Cyber Security Centure with a billion times more content than the factory news websight:
https://www.cyber.gov.au/about-us/advisories/hunting-russian-intelligence-snake-malware [cyber.gov.au]
(Score: 1, Flamebait) by Captival on Friday May 12, @10:57PM
The FBI has announced that they're really cool and awesome, and their genius tech experts have fought for freedom and justice everywhere. They're certainly not busy attacking their political opponents and covering up massive bribes and corruption by their own side. No, none of that. It's all heroics.