For more than two decades, cybersecurity experts around the world fought a secret battle against a Russian hacking group. At some point that group developed computer malware named “Snake,” which had embedded itself in the systems of multiple NATO governments as well as systems belonging to corporations and individuals. For almost as long as that software has existed, the FBI and other intelligence agencies have been aware of it and have worked on ways to counter it. This included creating a tool that used Snake to feed false information back to Russia.
On Tuesday, the Department of Justice announced that the FBI—along with agencies in the U.K., Canada, Australia, and New Zealand—had moved to disable Snake. This likely means Russia either recognized the tool was no longer giving them information of value, or the tit-for-tat battle as Russian programmers continued to update the malware presented more risk than opportunity.
In any case, it seems the agencies have now acted to disable Snake, cutting off the flow of information to what the Department of Justice described as Russia’s “premier espionage tool.”
During World War II, secret partisan networks in countries occupied by Nazi Germany smuggled out coded messages describing the movements of German troops and resources. Among these were radio operators for Die Rote Kapelle, the Red Orchestra, a loosely connected group of Soviet sympathizers who used the era’s most sophisticated technology: portable shortwave radio sets. At least twice during the war, sections of the Orchestra were detected and operators were taken into custody by the Nazi SS. However, rather than being immediately jailed or executed, many radio operators were put to work feeding false information into the Russian networks in a process known as “playback.”
Playback is sometimes regarded as the final stage of any intelligence operation. In the case of Snake, it seems like that stage came almost as soon as the operation was launched.
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” stated Deputy Attorney General Monaco. “By combining this action with the release of the information victims need to protect themselves, the Justice Department continues to put victims at the center of our cybercrime work and take the fight to malicious cyber actors.”
As Reuters reports, Snake originated from Russia’s FSB (one of the successors to the Soviet KGB), where it was developed by a special hacker team known as “Turla.” That group, which has gone up against both government and corporate targets in NATO countries, is regarded as “one of the most sophisticated hacking teams” in the business. They’ve been working against the West for two decades.
"We assess this as being their premier espionage tool," one of the U.S. officials told journalists ahead of the release. He said Washington hoped the operation would "eradicate it from the virtual battlefield."
It’s unclear from the announcements when and where the original version of Snake first penetrated Western systems, but from some descriptions, it may have been nearly as old as the Turla hacking group. Over the years, Snake spread far beyond the U.S. and well outside of government circles. According to the FBI, it has been detected in at least 50 countries and has been used to track many “targets of interest” to Russia, including journalists and political figures. Multiple revisions to Snake, sent over the years by Turla hackers, allowed it to keep working largely undetected by commercial tools, even as computer security was frequently updated.
A computer infected by Snake could pass information to other infected systems unknown to the system’s owner. Any classified documents or technical documents that might help Russia keep ahead of developments elsewhere could be gathered up and sent along. Eventually, documents would traverse the network to reach the FSB.
As described in an affidavit viewed by The Washington Post, Snake created a “worldwide collection of compromised computers [which] acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper monitoring and collection efforts by adversary signals intelligence services.” In other words, it was good at both collecting information and at staying hidden.
However, pulling from both their computer skills and knowledge of Greek mythology, the FBI created “Operation Medusa” to track the activities of Snake. This team created a tool known as “Perseus.”
When it found an instance of Snake, the Perseus tool could use the same interface that Russian hackers used in updating Snake to order the program to overwrite portions of its own programming. In the words of one FBI insider, Perseus “speaks Snake.” In that way, they could affect both the content delivered and the basic operations of Snake.
As the various instances of Snake spoke to one another, the Perseus tool backtracked the malware, spreading like a vaccine inside the infected systems. When the FBI was finally ready to decapitate Snake, it sent Perseus code that instructed the Russian malware to overwrite vital parts of its system, cutting off its functionality. (If the FBI called this code “sword” or “mirror,” they didn’t pass that along.)
As might be expected, all the information now available on the epic battle of Snake and Perseus is quite vague. We don’t know when and where the first computer was bitten by Snake, or how much time passed before the FBI discovered the infection. We also don’t know which information may have reached Russia through what the FBI described as “the FSB’s premier long-term cyberespionage malware implant” before Perseus joined the fight, or which information might have been blocked or altered.
From the tenor of the FBI announcements, the agency considers this a big deal. Hopefully that measure doesn’t come from acknowledging the scale of stolen documents. The comment in the statement from the Department of Justice reads: “For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies–that ends today. That certainly makes it seem as if Snake may have been a serious threat for an extended period before U.S. intelligence noted its presence.
In this final stage, the FBI asked a New York judge to authorize a warrant allowing the agency to interact with computers in multiple jurisdictions. That was apparently the last step before lopping the head off of Snake.
Maybe the final state of an intelligence network isn’t playback—it’s silence.