The United States government has announced the dismantling a global network infiltrated by a highly advanced malware strain called Snake. The malware, developed by a Russian state-sponsored group, ” Turla,” operates under several pseudonyms, including Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug. The U.S. government attributed this group to a unit within Center 16 of Russia’s Federal Security Service (FSB). Investigations confirmed Snake remains the most sophisticated cyber espionage tool.
Turla is famous for focusing primarily on European entities, the Commonwealth of Independent States (CIS), and countries affiliated with NATO. Observation of recent activities revealed expansion aimed at incorporating Middle Eastern nations sensed as a threat to countries supported by Russia in the region.
For almost two decades, Turla utilized different versions of the Snake malware in exfiltrating sensitive documents from victims in over 50 countries belonging to North Atlantic Treaty Organization (NATO) member governments, journalists, and other targets of interest to the Russian Federation. Turla extracts stolen documents through a network of unwitting Snake-compromised computers in the United States and worldwide.
The U.S. Federal Bureau of Investigation (FBI) created a tool codenamed PERSEUS as part of a neutralization effort called Operation MEDUSA, permitting the authorities to issue commands to the malware causing it to “overwrite its vital components” on infected machines.
According to the FBI, a Snake implant can perform self-detachment without effects on the host computer or legitimate applications. The possibility is due to self-destruct instructions, engineered after decrypting and decoding the malware’s network communications.
Snake is a C-based cross-platform malware operating as a covert tool for long-term intelligence collection on high-priority targets. It permits the adversary to create a worldwide peer-to-peer (P2P) network of compromised systems. Using custom communication methods, the malware adds a new layer of stealth featuring a modular architecture that allows for an efficient injection or modification of components to augment its capabilities and continuous access to valuable information.
Over 50 countries across North America, South America, Europe, Africa, Asia, and Australia already have Turla infrastructure. The group’s targeting is more tactical. It includes government networks, research facilities, and journalists. Victimized sectors within the U.S. include education, small businesses, media organizations, and critical infrastructure sectors such as government facilities, financial services, critical manufacturing, and communications.
Investigation revealed Turla remains an active and challenging adversary, utilizing distinct methods and tools to breach its targets across Windows, macOS, Linux, and Android. This development comes just over a year after U.S. law enforcement and intelligence agencies disarmed a modular botnet called Cyclops Blink, controlled by Sandstorm (Another Russian nation-state actor).
