Head of Russia’s Global Malware Network ‘Snake’ Cut Off by Five Eyes Alliance

Published: 12 May 2023

Hacking Lock 2A Russian malware network known as “Snake” that infected systems across the globe for over 20 years has now been dismantled. (Photo: jaydeep_, Pixabay, License)

By Henry Pope

Authorities across the Five Eyes intelligence alliance - Australia, Canada, New Zealand, the United Kingdom, and the United States - announced that a multi-national cyber operation had cut off the head of “Snake,” a global malware and data theft network created by Russia’s principal intelligence agency, the Federal Security Service (FSB).

Brought to life in 2003 by FSB’s Center 16, which oversees Russia’s long-term intelligence gathering operations, Snake infiltrated computer systems across no less than 50 countries for nearly 20 years. Many of these, the U.S. Justice Department (DOJ) said, belonged to NATO member states.

The Russian government has long been known to engage in malicious cyber espionage.

Amongst the Kremlin’s goals in doing so are “to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” according to a Russia cyber threat overview by the U.S. Cybersecurity & Infrastructure Security Agency (CISA).

In this endeavor, the Snake implant is considered the most sophisticated tool in Center 16’s arsenal for long-term intelligence collection on sensitive targets, according to a joint advisory released by the CISA, in cooperation with its domestic and international intelligence partners.

The malware has gone through many monikers since its birth. It was originally conceived as “Uroburos,” a name derived from the ancient symbol of a serpent devouring its own tail.

Other, less poetic names used by Center 16 include “Ur0bUr()sGoTyOu#” and “gLASs D1cK”.

By infiltrating computers around the world, the Snake malware networked the infected systems together, thus allowing the FSB to relay information towards computer systems located within its ultimate targets and gain access to the sensitive material within.

And once these otherwise inaccessible digital files were stolen, Snake exfiltrated them through the same network of compromised computers and back to Center 16.

Widely-used operating systems such as Windows, MacOS, and Linux were equally vulnerable to the Snake’s fangs.

“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes,” said Breon Peace, U.S. Attorney for the Eastern District of New York.

Industries targeted by the malware in the past have included: healthcare, defense, critical infrastructure, energy, communications, water, and finance. British intelligence also said that Center 16 had conducted cyber-operations against its own citizens, including dissidents, political opponents, and journalists.

But even after a target had been compromised, the malware would remain attached to the system indefinitely, per the network’s potential future needs, the CISA said.

And despite the fact that 20 years would make any piece of software obsolete, U.S. investigators noted that Russian intelligence had applied numerous upgrades and revisions to the malware, ensuring that it remained the FSB’s most sophisticated and reliable data theft tool.

Recognizing this danger, the governments of the U.S., Canada, the U.K., Australia, and New Zealand banded together to root out Russia from the deepest corners of the internet.

In a nod to its adversary, the operation tasked with nullifying Snake was codenamed “Medusa,” the mythological creature who had venomous snakes for hair and could turn those who gazed into her eyes to stone.

Fighting fire with fire, the U.S. Federal Bureau of Investigations (FBI) developed its own software called “Persueus,” which could decrypt and decode Center 16 communications sent along the Snake network.

In Greek mythology, Perseus is the legendary hero who beheaded the snake-haired Medusa.

The Perseus software infiltrated Snake’s communications and issued commands that caused the malware to disable itself without inflicting further harm upon the host computer, the DOJ said.

“The operation we announced today successfully disrupted the foremost cyber espionage tool of the Russian government,” said FBI Assistant Director-in-Charge Driscoll. “For two decades, the malware allowed Russian Intelligence to compromise computer systems and steal sensitive information - harming not only the United States Government and our allies but also private sector organizations.”

Though Five Eyes’ efforts succeeded in countering the Snake threat, the DOJ noted that Medusa did not patch any vulnerabilities for the malware, nor did it remove any other hacking tools Center 16 may have placed onto its victims’ computer systems.

The CISA also noted that just because the head of the snake was cut off, by no means does that mean the body has died.

Russian cyber intelligence, the U.S. agency said, has had help over the years from a number of groups - more specifically, from spiders, ready to work alongside snakes.

State-sponsored cyber actors who go by the names “Mummy Spider,” “Salty Spider,” “Scully Spider,” “Smokey Spider,” and “Wizard Spider” have all demonstrated themselves capable of compromising IT networks and extracting sensitive data from protected networks.

Together, they have aided Center 16 by targeting computer systems across NATO and infiltrated their finance, healthcare, and government networks, amongst others.

They have even aided Russia in its invasion of Ukraine, the CISA said, by utilizing denial-of-service attacks against Ukrainian targets to disrupt their networks and hinder their efforts in driving their aggressors back.