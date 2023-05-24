Earlier this month, the US government announced to the world its most important victory in the fight against global cyber-espionage. Through an official statement, the US government declared that it had dropped the malware known as Snake, classified as one of the most sophisticated and complex tools used for nearly two decades by the Federal Security Service of Russia (FSB), one of the successors of KGB, to monitor member countries of the North Atlantic Treaty Organization (NATO), journalists and other targets.

In a statement issued on the 9th, the FBI and the US Cyber ​​Security Agency (CISA) reported that the Snake malware was part of a wide range of malicious tools from the notorious hacking group known as Turla. Relying on Russian funding, the group began developing the virus in 2003 and used it to attack a variety of NATO-aligned targets, government agencies and US technology companies, a senior FBI official revealed.

The operation, conducted under the code name Medusa, was built on the back of a major FBI investigation that had been ongoing for years. It had the participation and coordination of other US security agencies and its international allies, such as the United Kingdom, Canada, Australia and New Zealand. US authorities had been monitoring the activity of the FSB agents responsible for using the malware, who operated from a Russian security services facility. During the investigation process, American experts identified several unique technical characteristics of Snake and exploited errors made by operators, providing a solid foundation for understanding the inner workings of the malware.

“Our investigation revealed examples of FSB operators who appeared to be unfamiliar with Snake’s more advanced capabilities,” one of the FBI prosecutors told US federal courts.

According to US authorities, one of the vulnerabilities discovered in the virus was related to the OpenSS library, used for Diffie-Hellman key exchange. The keyset generated by Snake during this exchange was too short to be considered secure, with a core length of only 128 bits. Furthermore, in some hasty deployments of the malware, operators neglected to remove the Snake binary, leaving traces that contributed to its identification. The hackers’ modus operandi consisted of infecting computers around the world with the malware and then extracting data from those devices, including those located in the United States.

US authorities were able to disable the malware using a special FBI tool called Perseus. The tool sent commands to Snake, overwriting his vital components and halting his activities. Malware infrastructure has been identified in over 50 countries, including Russia itself.

While Snake has been utilized in many industries, his targeting has always been tactical and intentional. The Russian FSB employed the virus to collect sensitive information from high-priority targets such as government networks, research centers and journalists. One example mentioned was the access and exfiltration of confidential documents and diplomatic communications of a NATO member country, which did not have its name disclosed.

In the United States, the FSB has targeted sectors such as education, small businesses, media organizations and critical infrastructure sectors including government facilities, financial services, essential manufacturing and communications.

The successful dismantling of the Russian cyber espionage network is considered a significant blow to foreign intelligence activities and an important step forward in defending the interests of the United States and its allies.

In the statement, Merrick Garland, US Attorney General, emphasized that Washington and its allies will continue to strengthen their joint defenses against Moscow’s attempts to destabilize the security of Western countries. This move is seen as a forceful response to Russia’s cyber espionage activities, which have been a matter of concern for years. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies,” said Garland.

Victory may be temporary

Even representing a significant victory for Western countries, a Brazilian expert warned that this achievement may only be temporary and highlighted the need for continuous measures to guarantee digital security.

In an interview with People’s Gazette, Felipe Gonçalves Silva, security consultant, emphasized the ephemeral nature of victories in the cyber field. According to him, “when it comes to cybersecurity, all victories are fleeting. Today you may have won the battle, but tomorrow your attacker may outrun you.” For Silva, the campaign carried out by Operation Medusa with the aim of overthrowing Snake certainly had a significant impact on the Russian spy system, however, it is essential to continue investing in intelligence, protection tools and training aimed at raising awareness among users, especially those who are politically exposed. , to prevent future similar attacks.

In Silva’s view, the next steps that Western countries must take to avoid the proliferation of new spy malware is precisely the path of constant investment in intelligence. He warned that although Snake has been defeated, his secrets have already been deciphered and generic versions of the malware are likely to surface on the dark web for criminal use. Therefore, caution is key.

The security consultant also emphasized the ability of NATO countries to combat large-scale cyber threats. “Snake has a high capacity for infection and is highly capillarized. About 50 countries have been infected. It is a very strong and modular persistence malware, which was molded according to the attacker’s need or prospecting objective. He was also extremely difficult to perceive and left no traces or symptoms. This demonstrates the extremely high capacity of the NATO countries in achieving the neutralization and overthrow of Snake. I see that we will have more and more mass cyber threat infection and proliferation tools with high capacity for sophistication and software engineering on both sides,” he said.

In the context of future cybersecurity operations carried out by Western countries, the takedown of Snake could play a crucial role. Silva pointed out that, initially, the operation sought to curb the action of the FSB, which funded the virus, but in general, this type of operation also offers the opportunity to develop other more advanced actions, systems and mechanisms for protection, detection and attack.

When questioned about the importance of this overthrow in the context of the cyber war between the West and Russia, Felipe pointed out that this may be a historic milestone. “Snake can be regarded as a symbol of Russian cybernetic technological prowess. The loss of this highly mature and widespread malware is undoubtedly a significant victory for NATO countries,” he said.

However, Silva stressed the need to wait for the possible consequences of this operation, as well as the counterattacks that may arise in the future.

As far as future cyber threats are concerned, he warned that Snake is just one example of sophisticated malware. He mentioned the Perseus software, used by the United States in the Snake takedown operation, as an example of a system that could evolve and replace Russian malware. Additionally, he pointed to the use of metaverse environments such as online gaming as a current trend in cyberattacks against governments.

History of successful attacks and intrusions

During its years of activity, the Turla group, which the US claims is funded by the Russian FSB, carried out several successful attacks on European countries using Snake. In 2016, hackers broke into the Federal Academy of Public Administration in the city of Brühl, Germany. Soon after, they managed to successfully gain access to the Information Network of the German Federal Administration, used by the country’s legislative and government bodies, until they managed to reach their final objective, which was to invade Department 2 of the Ministry of Foreign Affairs, precisely the section responsible for German foreign policy in the European Union and for Germany’s relations with other countries in Europe, North America and Central Asia, including Russia.

Prior to that, the group also provided its services to capture Ukrainian data and documents during the occupation of Crimea in 2014. In the attack, dozens of Ukrainian computer networks were affected and destabilized. In addition to the attack on Ukraine, hackers also hit systems linked to the Lithuanian government, taking websites offline and capturing some information considered sensitive. In addition to these attacks, John Hultquist, head of Google-owned Mandiant Intelligence Analysis, told the The Bharat Express News that the FSB even used Snake to help Iranian hackers steal information from an unnamed western organization.