At a glance.
- The Five Eyes disrupt Russia's FSB Snake cyberespionage malware.
- From DDoS to cryptojacking.
- Trends in ransomware.
- Yesterday's Patch Tuesday is now in the books.
- A work-around for a March patch.
The Five Eyes disrupt Russia's FSB Snake cyberespionage malware.
The Five Eyes took down the Snake infrastructure Russia's FSB has used for espionage and disruptive activity for almost twenty years. Operation MEDUSA involved not only technical disruption of Snake malware deployments but lawfare as well. Operation MEDUSA was the work of an international partnership whose principal members were, in the US, the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Cyber National Mission Force (CNMF), and in the other Four Eyes the Canadian Cyber Security Centre (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ). The Joint Cybersecurity Advisory these agencies issued describes Snake as "the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets." The malware is stealthy, readily tailored to specific missions, and well-engineered.
Strings within Snake's early coding (such as “Ur0bUr()sGoTyOu#”) gave the malware its early name, "Uroboros," after an ancient symbol of eternity, a snake clutching its tail in its jaws. The FSB coders had an esoteric streak: they embedded a drawing of an Uroboros by the early modern Lutheran mystical theologian Jakob Böhme in their code.
The Justice Department describes Operation MEDUSA as "a court-authorized operation...to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”, that the United States Government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB)." That unit, which has been commonly known as "Turla" (and is called that in court documents, but which has also been known as Venomous Bear), has been actively collecting against targets in some fifty countries for nearly two decades.
The FBI obtained a Rule 41 warrant to remove Snake from eight infested systems. The application for the warrant summarizes the authority sought. "Federal Rule of Criminal Procedure 41(b)(6)(B) provides that 'a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if . . . (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.'” Such warrants are uncommon. The Department of Justice has used them twice in the past, the Record reports, once to disrupt China's Hafnium espionage campaign and once to dismantle Cyclops Blink, a Russian intelligence service botnet.
The FBI-developed tool used against Snake is interesting:
"Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components. Within the United States, the operation was executed by the FBI pursuant to a search warrant issued by United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York, which authorized remote access to the compromised computers. This morning, the Court unsealed redacted versions of the affidavit submitted in support of the application for the search warrant, and of the search warrant issued by the Court. For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance." (If the FSB is given to esoteric Lutheran allusions, the FBI apparently has a classicist streak--Perseus, after whom their remediation tool was named, was the slayer of the Gorgon Medusa, the sight of whom could turn victims to stone.)
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.