US reveals bespoke tool that took down Russian malware operation

The US Department of Justice (DoJ) has revealed details of a joint operation in which Western agencies used a custom tool to destroy a decades-old Russian malware operation.

Use of a tool named ‘PERSEUS’ nullified a worldwide network of devices that had been infected with the Snake malware by threat actors in the group Turla.

A number of agencies including the NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) led the operation codenamed ‘Medusa’.

Snake had been used to exfiltrate sensitive information from devices across 50 or more countries, including NATO governments and journalists, but the FBI-created PERSEUS was used to force the malware to overwrite its data without damaging infected devices.

Turla has been linked directly with the Federal Security Service of the Russian Federation (FSB) and has used Snake since 2003.

“For 20 years, the FSB has relied on the Snake malware to conduct cyber espionage against the United States and our allies – that ends today,” said Matthew G. Olsen, assistant attorney general, at the Justice Department’s National Security Division. 

“The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovative use of legal authorities, and working with international allies and private sector partners to amplify our collective impact.”

Snake is able to function on Windows, macOS, and Linux under a high level of stealth, and has been operated in a tactical manner to hit specific targets.

It was found and destroyed on multiple US-based systems through a search warrant authorizing remote access to computers believed to have been compromised by the malware.

On some occasions, Turla was observed to have sent Snake to victims multiple times to ensure infection and exfiltration of data.

A joint cyber security advisory by the agencies described the malware as “the most sophisticated cyber espionage tool in the FSB’s arsenal”.

The malware’s network communications are encrypted and fragmented, and it has its own HTTP and TCP protocols that have allowed it to operate unseen on top legitimate networks.

In the wild, it has been found intercepting each client-to-server packet in a TCP session to check for Snake-specific instructions.

Snake can redirect all relevant packets to its own process function while redirecting all other packets to their respective applications to avoid detection.

Turla, based in Russia, has previously hijacked Iranian cyber espionage resources to launch masked attacks on Western victims.

Researchers at Microsoft Threat Intelligence, which tracks Turla under the name Secret Blizzard, also included findings that the group engaged in cyber warfare across Ukraine in its report marking a year since Russia’s invasion.

The DoJ has urged organizations to review its joint advisory for advice on Snake detection and remediation.

It noted that a keylogger has often been deployed with Snake, which hackers could use to steal passwords even after the first malware package has been nullified.