DOJ disrupts Russian-controlled global malware network

The operation is codenamed "MEDUSA."

May 9, 2023, 11:04 AM

The Justice Department on Tuesday announced the dismantling of a global network of computers infected by malware that Russia's state security services have allegedly used for nearly 20 years to steal secrets from the U.S. and NATO allies.

The operation -- code named "MEDUSA" -- aimed to neutralize the so-called "Snake" malware used by a unit within the Russian FSB known as "Turla," which experts consider to be one of the most sophisticated cyber espionage groups in the world.

DOJ and other global partners identified the Snake malware in computer systems in at least 50 countries. The Turla group used the malware to target NATO member states, financial sectors, journalists and other targets of the Russian government dating back as early as 2004, officials said.

Channeling more Greek mythology, the FBI says it recently created a tool officials dubbed "PERSEUS" to effectively neutralize the Snake malware after receiving authorization from a judge in Brooklyn to secure remote access to infected computers.

The PERSEUS software "establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer," according to DOJ.

The Snake malware was previously assessed by the U.S. intelligence community to be "one of the most sophisticated malware sets used by the Russian intelligence services" to target ministries of foreign affairs and ministries of defense in NATO-allied countries, officials added.

The FBI began deploying the PERSEUS tool against infected computers yesterday and they were able to confirm that Turla's access to many of the computers had been disrupted, an FBI official told reporters Tuesday morning.

The bureau says it notified all victims whose computer systems were accessed as part of the MEDUSA operation, and the United States and Five Eyes partners have issued a joint cybersecurity advisory with detailed technical information on the malware so cybersecurity experts can detect whether other networks may have been infected.

There's an ongoing risk to some of those targeted, officials said, because after gaining access to networks, the Turla group is known to use a "keylogger" tool that steals account passwords and other authentication credentials.

Related Topics