On May 8, the Russian FSB’s cyberespionage capability took a major hit as a coordinated global takedown of the Turla Snake malware managed by Center 16 of the Federal Security Service of the Russian Federation (FSB). This takedown ends a 20-year clandestine counterintelligence operation focused on Russia’s cyberespionage engagement which targeted and successfully penetrated entities in over 50 countries, including many NATO members.
The significance of May 8 should not be overlooked as the eve of May 8, 1945 (May 9 in Moscow) World War Two ended. This date is designated a national holiday in Russia.
Operation Medusa
“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies,” said Attorney General Merrick B. Garland. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”
The FBI’s technical geniuses exhibited the patience of Job in painstakingly watching and learning about the Snake malware operated. They were able to garner sufficient know-how to evolve an offensive cyber capability (codename PERSEUS) which in essence infiltrated the Snake ecosystem and then caused the ecosystem to self-destruct (if you are envisioning something out of Mission Impossible, you are not alone).
Then in a display of “we’re all in this together” attitude, the FBI brought in their foreign liaison partners and conjured up the global takedown.
“Today’s announcement demonstrates the FBI’s willingness and ability to pair our authorities and technical capabilities with those of our global partners to disrupt malicious cyber actors,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “When it comes to combating Russia’s attempts to target the United States and our allies using complex cyber tools, we will not waver in our work to dismantle those efforts. When it comes to any nation state engaged in cyber intrusions which put our national security at risk, the FBI will leverage all tools available to impose cost on those actors and to protect the American people.”
Jeffrey Wells, partner at Sigma7 had this to say about Operation Medusa: “The United States has been actively monitoring the cyber operations of FSB to combat the spread of malware. During the two-decade-long presence, there was much to learn. As a result, the US, in collaboration with its NATO-member partner governments, had deliberately decided to monitor FSB’s activities over time to gain intelligence and insights into their tactics, techniques, and procedures (TTPs). This knowledge is vital to develop appropriate defensive measures and programs to enhance the security of networks and to create effective offensive tools going forward. The decision to bring down FSB was not taken lightly, as it required substantial intelligence gathering and analysis and technical skills. It is no coincidence to me that the operation was carried out on May 8th, when Russia was celebrating ‘Victory Day.'”
CISA advisory
FSOs should avail themselves to the joint advisory which was released in conjunction with the DOJ press release. The DOJ notes that the advisory, was issued by “The FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force, and six other intelligence and cybersecurity agencies from each of the Five Eyes member nations.”
Within the 48-page CISA Advisory (aa23-129a) one will find detailed technical information about the Snake malware, to include paths to remediation. The information is available to all who have a web connection.
Next steps
We don’t know why May 2023 was chosen to bring Operation Medusa to an end. A 20-year run is unusual in the world of counterintelligence for any operation to run successfully. No doubt the Russian Federation will be smarting from this joint action by global law enforcement and is already beginning their own damage assessment to determine how the United States could have had 20 years visibility into their effort and not be detected. They will also seek to determine what, if any, of their efforts are salvageable and able to be rejuvenated in the future. The Russian intelligence apparatus will not take their foot off the proverbial gas pedal of cyberespionage, and you should, as the D/CISA has said more than once, have your “shields up.”