Federal Operation Takes Down Sophisticated Russian Malware

The Department of Justice announced Tuesday that it and international partners had completed an effort to track and disrupt a peer-to-peer network fueling Russian malware in an operation known as MEDUSA.

“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our [North Atlantic Treaty Organization] allies,” stated U.S. Attorney General Merrick Garland.  “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”

Operation MEDUSA disabled Snake malware––otherwise known as Turla in unsealed legal records––using a software tool created by the Federal Bureau of Investigation. This tool, called “Perseus,” issued commands that prompted Snake malware to overwrite its own code. 

“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” stated Deputy Attorney General Lisa Monaco.

The MEDUSA announcement comes in tandem with a joint federal effort warning of the spyware’s ability to attack digital networks’ architecture and communications in the latest instance of national security concerns pivoting to cyberspace. 

Alongside Justice’s announcement, the Cybersecurity and Infrastructure Security Agency issued a formal advisory highlighting the details of the malware, and investigative efforts revealed that the tool was designed and used by Center 16 of the Russian Federal Security Service and has been remotely deployed for nearly 20 years via a covert peer-to-peer network of applications.

Snake infrastructure was detected in infected computers over 50 countries worldwide, disguised as operational traffic across targeted computer systems targeting sensitive information and data, mainly from NATO member countries and their allies. 

“Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature,” CISA’s advisory reads. “Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities and journalists.” 

Specifically in the U.S., investigators recorded Snake and the FSB targeting victims in the education, critical manufacturing, small business and communications sectors. 

In addition to Justice and CISA, the National Security Agency and the U.S. Cyber Command Cyber National Mission Force contributed to Operation MEDUSA. 

Snake’s takedown comes amid public sector entities reporting state-sponsored cyber actors as their number one cause of concern in a 2023 survey, fueled in part by Russia’s continued war on Ukraine and broader global hostility.