Ukraine at D+440: FSB cyberespionage network disrupted.
N2K logoMay 10, 2023

Ukraine claims to have inflicted heavy casualties on Russian forces in Bakhmut. The Five Eyes take down the FSB's Turla cyberespionage infrastructure.

Ukraine at D+440: FSB cyberespionage network disrupted.

More Russian missiles were launched against Kyiv last night, Al Jazeera reports. Ukraine says its air defenses shot them all down.

Ukraine also says, according to the Guardian, that it's inflicted heavy casualties on Russian forces in Bakhmut, with the Wagner Group and the Russian army's 72nd Independent Motorized Rifle Brigade being especially hard-hit. (A note on Russian military nomenclature: "motorized rifle" units are what the US would call "mechanized infantry," that is, an infantry formation equipped with armored personnel carriers or infantry fighting vehicles.)

Assessments of Russia's toned-down Victory Day celebrations.

The UK's Ministry of Defence looks back at Victory Day and sees restrained celebrations as designed to avoid arousing domestic public ire over what could be perceived as misplaced official priorities. "On 09 May 2023, the make-up of Russia’s annual Victory Day Parade in Red Square highlighted the materiel and strategic communications challenges the military is facing 15 months into the war in Ukraine. Over 8,000 personnel reportedly took part in the parade, but the majority were auxiliary, paramilitary forces, and cadets from military training establishments. The only personnel from deployable formations of regular forces were contingents of Railway Troops and military police. A vintage T-34 from a ceremonial unit was the sole tank on parade. Despite heavy losses in Ukraine, Russia could have fielded more armoured vehicles. The authorities likely refrained from doing so because they want to avoid domestic criticism about prioritising parades over combat operations."

US announces more aid for Ukraine.

The latest round of materiel the US will provide Ukraine includes more artillery and air defense systems. "The United States will provide Ukraine with a $1.2 billion package to bolster the country's air defenses and sustain its artillery needs, Pentagon Press Secretary Air Force Brig. Gen. Pat Ryder said today." The Pentagon's running total of aid to Ukraine since the beginning of Russia's invasion was updated accordingly.

The Five Eyes stare down Snake.

The Five Eyes took down the Snake infrastructure Russia's FSB has used for espionage and disruptive activity for almost twenty years. Operation MEDUSA involved not only technical disruption of Snake malware deployments but lawfare as well. Operation MEDUSA was the work of an international partnership whose principal members were, in the US, the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Cyber National Mission Force (CNMF), and in the other Four Eyes the Canadian Cyber Security Centre (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ). The Joint Cybersecurity Advisory these agencies issued describes Snake as "the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets." The malware is stealthy, readily tailored to specific missions, and well-engineered.

Strings within Snake's early coding (such as “Ur0bUr()sGoTyOu#”) gave the malware its early name, "Uroboros," after an ancient symbol of eternity, a snake clutching its tail in its jaws. The FSB coders had an esoteric streak: they embedded a drawing of an Uroboros by the early modern Lutheran mystical theologian Jakob Böhme in their code.

The Justice Department describes Operation MEDUSA as "a court-authorized disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”, that the United States Government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB)." That unit, which has been commonly known as "Turla" (and is called that in court documents, but which has also been known as Venomous Bear), has been actively collecting against targets in some fifty countries for nearly two decades.

The FBI obtained a Rule 41 warrant to remove Snake from eight infested systems. The application for the warrant summarizes the authority sought. "Federal Rule of Criminal Procedure 41(b)(6)(B) provides that 'a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if . . . (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.'” Such warrants are uncommon. The Department of Justice has used them twice in the past, the Record reports, once to disrupt China's Hafnium espionage campaign and once to dismantle Cyclops Blink, a Russian intelligence service botnet.

The FBI-developed tool used against Snake is interesting:

"Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components. Within the United States, the operation was executed by the FBI pursuant to a search warrant issued by United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York, which authorized remote access to the compromised computers. This morning, the Court unsealed redacted versions of the affidavit submitted in support of the application for the search warrant, and of the search warrant issued by the Court. For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance." (If the FSB is given to esoteric Lutheran allusions, the FBI apparently has a classicist streak--Perseus, after whom their remediation tool was named, was the slayer of the Gorgon Medusa, the sight of whom could turn victims to stone.)

Adam Meyers, head of intelligence at CrowdStrike, summarized the scope of Venomous Bear's cyberespionage.“CrowdStrike attributes the use of Snake malware to VENOMOUS BEAR - a sophisticated Russia-based adversary, assessed with high confidence to be attributable to the FSB," he said. "Snake operations have been identified as supporting FSB’s Center 16 - a subdivision of the FSB responsible for the interception, decryption, and processing of electronic communications via cyber espionage. To date, Snake operations have targeted over 50 countries, including in North and South America, Europe, Africa, part of Asia, and Australia. Operation MEDUSA, and others like it, highlight the importance of public/private collaboration and threat intelligence information sharing in the global effort to take down sophisticated cyber adversarial groups.” 

Tom Kellermann, SVP of cyber strategy at Contrast Security, sees Operation MEDUSA as important, assertive, and a sign of things to come. “This represents a historic blow to the Russian cyberespionage apparatus. The Justice department has taken the gloves off and this disruption serves as a harbinger of more aggressive actions to come.”  

According to Jess Parnell, VP of Security Operations at Centripetal, regards the action against Turla as a welcome engagement in a cyber war:

“We’re in a constant war. Not the war you traditionally think of, but a war that involves algorithms and encryption. The war on cybercrime is a war of knowledge and innovation, where victory lies not in the destruction of an enemy, but in the protection of our digital way of life. We must stand firm and utilize every tool at our disposal, to defend our networks, our businesses and our communities. This is a huge step forward for The U.S. Justice Department and I applaud their dedication to taking the group down.

"If we have any hope of turning the tide in the war on cybercrime, a massive revamp of security strategy is needed at every level: individual, organizational and nation level. This involves a crucial step forward in working smarter with what we have. Over 90% of cyberattacks are threats that are already known, and have been mapped out by threat intelligence providers.

"Security teams are failing to use the data at their disposal to prevent cybercrime, in all likelihood because they do not have the capabilities to adequately analyze, understand and action all of the alerts that they receive - and in a time frame that does not allow the attackers to bypass their efforts. In an effort to neutralize cyberthreats, enterprises must deploy an intelligence-powered security approach using high performance computing technology, strong software algorithms and uniquely skilled security analysts to deliver a robust protection strategy. This puts threat intelligence at the forefront, moving from reactive to proactive defense, and helping security teams be more efficient and effective.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, gives Operation MEDUSA a full-throated shout of approval:

"This is great news, although not a brand new law enforcement tactic. Over the last decade or so, law enforcement have done similar bot takedowns by infiltrating the network or command and control servers. It's a great strategy, although in some cases it resulted in only a limited, temporary disruption, until the bad guys were able to set up new, different botnets. But occasionally, the takedown results in the permanent disruption of that particular malware botnet, and it never again gains the same status and popularity that it previously enjoyed. This one is run by the Russian FSB, with the resources, time, and incentives to put up another similar botnet, so my best guess is that this is only a temporary disruption. Still, anything that increases the cost and effort of the bad guys to do bad things helps everyone else. And this takedown increases the costs for what Russia is doing and that's a good thing. On a related note, we are starting to see malware botnets increasingly using self-protection mechanisms that try to complicate law enforcement takedowns. That's to be expected. The good guys figure out how to better fight malware and the malware purveyors fight back with new defenses. This is the malware bot lifecycle."