In an operation that highlights the FBI’s increasing efforts to go beyond simply identifying hackers and finding fresh ways to thwart cyberattacks, US authorities claimed to have disabled malware that Russia’s intelligence agency has allegedly used for twenty years to steal documents from NATO-allied governments and others.
Officials and security experts said the operation essentially crippled one of Russia’s most well-known and oldest cyber espionage operations, an acclaimed hacking unit previously connected to devastating thefts of US secrets.
Overview
According to US sources, the FBI utilised a court order on Monday to deny the Russians access to the network of computers in the US, which the hackers were using for transmitting stolen information around the world and back to Russia.
On Tuesday, a senior FBI official told reporters that the FBI operation and US public advisories regarding the hacking tool would make it “difficult or untenable” for the Russian Federal Security Service (FSB) to utilise it effectively again.
The FBI claimed to have uncovered a long-running cyber-espionage campaign by FSB officers, in which the agents obtained documents from other governments’ defence and foreign ministries, journalists, and others, and routed these data through infected computers in the US to conceal their activities.
Turla and Snake
Security researchers have referred to the team of hackers as “Turla,” who are known to deploy malware known as “Snake.” Turla, which the FBI targeted, is one of the most skilled cyberspy organisations inside the Russian intelligence services, and is linked to massive breaches of US military networks in the mid-to-late 1990s and a 2008 attack on US Central Command.
The US Justice Department stated that the FBI destroyed the Snake network through the MEDUSA operation, which had been authorized by a court order. According to officials, FBI investigators identified computers with Snake malware installed on them, including ones in Oregon, South Carolina, and Connecticut. With a court’s consent, they could issue directives to the malware to permanently stop it on those computers.
The FBI disrupted a 20-year-old sophisticated malware network used by the Russian government to collect sensitive information from hundreds of infected computers across 50 countries, the Justice Department announced Tuesday. https://t.co/2cDyHkPurf
— CBS Evening News (@CBSEveningNews) May 9, 2023
Chinese or Russian cyberattacks would fundamentally compromise US systems. Investigators followed the group’s daily movements to an FSB outpost outside Moscow in Ryazan.
US Attorney General Merrick Garland declared in a statement that “the Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies.”
Deputy Attorney General Lisa Monaco stated, “US law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools through a high-tech operation that turned Russian malware against itself.”
Since the beginning of Russia’s invasion more than a year ago, Mandiant, a US cyber firm owned by Google, has observed suspected Turla hackers concentrating extensively on Ukraine, the company said in January.
The group was discovered to have utilised a variety of strategies, including an obsolete method — plugging in an external USB stick infected with malware. Turla’s hackers are skilled at infiltrating networks undetected; cybersecurity specialists and US authorities said that the group’s espionage activities date back more than 25 years.
Infiltrating Networks of Foreign Governments
In recent years, it has been noticed that hackers have been breaking into the networks of parliaments and foreign ministries in Eastern Europe to gather information on Russian adversaries.
An investigation carried out in 2022, by German public broadcaster Bayerische Rundfunk, linked some Turla operations to an FSB-connected corporation in Ryazan, Russia, about 120 miles southeast of Moscow.
Security agencies in the UK, Canada, Australia, and New Zealand issued comparable declarations outlining the FSB’s cyber disruption effort.