The Department of Justice announced on Tuesday it had broken up a long-running cyberespionage campaign linked to Russia’s chief intelligence unit, the Federal Security Service (FSB), which had successfully stolen “sensitive information” from the U.S. and its NATO allies.
The U.S. court-authorized operation was conducted under the codename “MEDUSA,” which disrupted a “sophisticated malware” scheme called “Snake” after it stole documents from hundreds of computer systems in at least 50 countries.
Government systems and journalists were named at the key targets of the cyberespionage program, along with “other targets of interest to the Russian Federation,” according to a DOJ statement Tuesday.
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” Deputy Attorney General Monaco said in reference to a specialized tool called “Perseus” developed by the FBI.
The Russian espionage program relied on “Snake implant[s]” which persist in a compromised computer system indefinitely, according to DOJ officials.
The malware program typically goes undetected by the user and remains on the devise “despite a victim’s efforts to remediate the compromise.”
“The worldwide collection of Snake-compromised computers acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper detection, monitoring, and collection efforts by Western and other signals intelligence services,” the DOJ said.
The identities of those targeted and the information Russia’s intelligence agency was able to steal was not detailed in the Tuesday announcement.
The FBI is working with local authorities to not only notify individuals targeted by the Snake malware, but to provide remediation guidance as well.
The DOJ warned that just because the cyberespionage scheme was broken up does not mean that those of interest to Russia’s FSB will not be targeted in future operations.
“The operation to disable Snake did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks,” the DOJ warned.
Adding that victims should be aware that a unit known as “Turla” operating out of the FSB, which has utilized Snake for decades, employs a “keylogger” to “steal account authentication credentials” that can be used against victims at a later time.