According to federal officials, law enforcement personnel had to surreptitiously develop their own cyber-infrastructure to interact with and disrupt the malware, which the Russians were constantly updating and changing.
The U.S. government, which coordinated its investigative activities with foreign governments, also had to time the execution of the search warrant to access the compromised computers simultaneously to keep the Russians from reacting and thwarting the operation.
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” Deputy Attorney General Lisa Monaco said in a news release.
Law enforcement officials said the malware, known as “Snake,” was developed and operated by the Federal Security Service, the Russian government’s main security agency, which uses the acronym FSB.
The Russians allegedly used the malware to steal sensitive information from computer systems in at least 50 countries and to spy on journalists and other Russian “targets of interest,” Justice Department and FBI officials said. Russian officials allegedly would steal the materials and route them through U.S. computers that had been infected with malware to try to avoid detection.
The U.S. government launched “Operation Medusa” to covertly disable Snake, officials said. The FBI did this by creating a cyber-tool called “Perseus,” which essentially used coding to demand that the Snake malware overwrote itself.
“Today, Snake is the FSB’s premier long-term cyberespionage malware implant,” said an FBI affidavit in support of a search warrant that was unsealed this week in the Eastern District of New York. “Most importantly, the worldwide collection of compromised computers acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper monitoring and collection efforts by adversary signals intelligence services.”
The investigation included asking a New York judge for permission to remotely access computers in multiple jurisdictions and then remotely seize data stored in these computers to counteract the Russian malware.
U.S. officials have used this law allowing remote access, known as Rule 41, to take down other foreign cyberespionage operations.
