How Western spies disrupted Putin’s Snake hacking tool
Russian cyber espionage operatives are effectively blinded as insidious malware weapon is taken offline, writes
‘Areal war is being waged against our motherland,” Vladimir Putin boomed at crowds in Moscow’s Red Square this week. Yet even as his armoured cars and military trucks rolled across the cobbles in the annual Victory Day Parade, Western cyber experts were delivering the Russian leader a gift to remember.
The Snake malicious software (malware) network, used by Russia’s Federal Security Service (FSB) spy agency, was knocked offline by the West’s Five Eyes espionage alliance on Tuesday in a multinational swoop codenamed Operation Medusa.
Their takedown has disabled a vital Kremlin tool for interfering in Western elections, disrupting businesses and gathering intelligence on Moscow’s enemies – ending a two-decade-long cyber spying campaign that indiscriminately targeted businesses and Western governments alike.
Paul Chichester, the National Cyber Security Centre’s director of operations, describes
Snake as “a highly sophisticated espionage tool used by Russian cyber actors”. He added that
Medusa helped expose the tactics and techniques being used against targets that his US counterparts claim included Nato governments and countless corporations.
In a landmark piece of co-operation between the West’s five pre-eminent cyber powers – Australia, Britain, Canada, New Zealand and the US – the networks of computers used to control Snake’s central piece of malware were kicked off the internet, effectively rendering Russian operatives blind.
In public documents, Western intelligence authorities describe Snake being deployed in an insidious and long campaign against the interests of global democracy.
The FSB used it to steal sensitive diplomatic documents from one Nato country, while also targeting financial services, critical manufacturers and media organisations across the free world. The personal computer of an unnamed journalist at a US media company was also infected.
John Hultquist, head of Googleowned Mandiant Intelligence Analysis, adds that at one point the FSB used Snake to eavesdrop on an Iranian hacking campaign, quietly helping themselves to information being stolen from a Western organisation even as the Iranians congratulated themselves on pulling off an intelligence coup.
Experts agree that Snake is one of the most insidious tools of its kind. Hultquist describes the cyber campaign as “one that we’ve known for the longest,” as well as being “probably one of the slipperiest and most difficult to track”.
“They’ve been targeting the UK for a very long time,” says Hultquist. “They’ve had a lot of operations there, in my experience.
“There’s really no better time to blind their intelligence collectors than when they need it most,” he continues, referring to Russia’s defence against Ukraine’s long-awaited offensive.
Snake’s direct origins lie in 2003, when FSB computer experts began developing a piece of custom malware codenamed Ouroboros by their Western counterparts.
That system was eventually deployed against the West in 2008, when a USB drive loaded with malicious software was picked up and inserted into a computer by a curious American soldier in the Middle East. It took 14 months for the US military to completely eradicate the resulting cascade of virus infections.
Created and maintained by a Russian unit known variously as Centre 16 or Unit 71330, the malware was so powerful that even FSB personnel at their base in Ryazan, 130 miles south-east of Moscow, struggled to use it properly.
The culmination of Operation Medusa was an FBI technique to “overwrite vital components of the Snake malware without affecting any legitimate applications or files” on infected machines, wiping the Russian program from each computer in one fell swoop.
Chester Wisniewski, chief technical officer for applied research at the cyber security company Sophos, says it took the Russians “years and years to develop Snake” and that its loss will hit Putin’s spies hard.
The story of the system’s collapse sheds new light on the shadowy battle taking place between rival governments online.
‘There’s really no better time to blind their intelligence collectors than when they need it most’
FBI operatives developed a way of secretly tracking how Snake infected target computers and quietly pinged its Russian operators to tell them a freshly compromised computer was available for their use. Using this technique, the FBI mapped out not only Snake’s victims, but the all-important command-and-control network that gave the software its venom.
Prof Alan Woodward, a cyber security expert from the University of Surrey, says Snake’s technical features made it extremely difficult for the West to track down its weak spots. Yet the Russians made crucial mistakes that helped cyber experts cut off the Snake’s heads.
For all the West’s congratulatory back-slapping at this week’s takedown, however, experts all agree that it will only be a temporary setback and not a permanent victory.
Don Smith, of cyber security company Secureworks, estimates that Snake might be back online within weeks. Wisniewski and Hultquist both give it months at most. All compare the malware’s operations with cyber crime networks of the sort that their respective companies track – and all expect that the FSB will soon resurrect its beheaded Snake.
“This was a victory for the cat,” says Wisniewski. “But the mice are wily – and they’re breeding fast.”