Sunday, September 24, 2023
Courthouse News Service
Sunday, September 24, 2023 | Back issues
Courthouse News Service Courthouse News Service

DOJ busts Russian cyberespionage operation

Moscow’s Federal Security Service had been using a network of computers infected with malware to steal information from dozens of countries.

(CN) — In the culmination of a decadeslong investigation, U.S. law enforcement announced Tuesday that it had successfully disabled a malware tool that Russian security services used to skim sensitive documents from computers across the globe.

The Justice Department worked with a coalition of international partners on the joint investigation codenamed Medusa that targeted the activities of a cyberespionage program within the Russian Federal Security Service, or FSB, that is referred to as Turla in security circles, among roughly a dozen other names. In an an affidavit filed with the Eastern District of New York, an FBI agent explains that Turla used malware known as Snake to steal information from governments, journalists and other targets in nearly 50 countries, and then exfiltrate the information through a global network of infected computers.

Acting on a warrant issued by U.S. Magistrate Judge Cheryl Pollak in Brooklyn, the FBI took down the network by accessing infected computers remotely and using its own tool so that the Snake malware was made to self-destruct.

For the last 20 years, the FBI has been tracking agents in the Turla program as they worked on Snake-related activities from an FSB ;pcatopm in Ryazan, in central Russia. The intelligence operatives used the Snake malware to develop what the department called a covert peer-to-peer network of infected computers to help avoid detection by Western cybersecurity measures.

Using a computer infected with the Snake malware, the FBI was able to gain access to documents stolen from compromised computer systems, including those operated by the governments of NATO member states. The agency was then able to reverse-engineer the malware’s code to develop its own virus that caused the Snake program to disable itself on infected machines without harming other data on the computer.

Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in a statement Tuesday that the agency’s efforts underscore its commitment to sinking Russian cybercrime activities.

Although the Snake virus has been disabled on all infected computers, the Justice Department warned that the vulnerabilities Russian intelligence services used to access those machines should remain, and that other malware may still be present. The Turla program may also employ a tool known as a keylogger that, once a computer is infected with the Snake virus, steals account credentials from users. The FSB could still have access to that data, the agency cautioned.

U.S. Attorney Ian Richardson of the Eastern District of New York is leading prosecution of the case. The court Tuesday unsealed redacted versions of warrant that allowed the FBI’s operation to take place, as well as the supporting affidavit.

Follow @@BenjaminSWeiss
Categories / Criminal, International, Technology

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.