Russia’s Snakes Got DePlaned

The US Attorney’s Office in Brooklyn, EDNY, had a busy day on Tuesday. In addition to indicting George Santos for various kinds of fraud, EDNY’s US Attorney, Breon Peace, got to take credit for the “remediation” of a peer-to-peer network of compromised computers exploited by Russian hacking group “Turla” to hack collection targets around the world.

For geeks, the claimed effect of the operation was pretty cool. The FBI developed code (or had a contractor do it for them) that would exploit the very thing that makes the Snake malware so tricky — the proprietary communications sessions it uses to run a global network of relay nodes through which it launches collection attacks.

The majority of compromised systems serve as relay nodes (referred to as “hop points”) in the Snake network, that route traffic from the FSB’s ultimate target systems (referred to as “endpoints”) through the network back to Turla operators in Russia.

The FBI code was designed to command Snake to overwrite its operational components.

[A]n FBI-created tool named PERSEUS [] issued commands that caused the Snake malware to overwrite its own vital components.

[snip]

[T]hrough analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications. With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool named PERSEUS which establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer.

[snip]

Specifically, the FBI has developed a technique that exploits some of Snake’s built-in commands, discussed above, which, when transmitted by PERSEUS from an FBI-controlled computer to the Snake malware on the Subject Computers, will terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the Subject Computers..

We’ll see whether the operation was as successful as DOJ and NSA claimed. But the government at least claims to have significantly neutralized a hacking platform that has been a complex challenge for two decades.

A quote from a specialist on this hacking group made me want to look closer to understand what DOJ did, both technically and legally. Juan Andres Guerrero-Saade complained to CNN that the FBI had taken down the peer-to-peer network, rather than just sat on it to continue to observe what Russia’s FSB was doing.

Turla operatives are “genuine professionals,” Juan Andres Guerrero-Saade, a researcher who has tracked Turla for years, told CNN.

“They’re not traipsing around breaking things or calling attention to themselves in stupid ways,” said Guerrero-Saade, who is senior director of SentinelLabs, the research arm of security firm SentinelOne. He said that’s what you’d “expect from the GRU,” referring to Russia’s military intelligence agency, whose hackers are generally more conspicuous. “You don’t see that out of Turla.”

[snip]

While the FBI touted the action as another example of the bureau’s strategy to protect hacking victims, Guerrero-Saade wondered what visibility the FBI might have lost into Turla’s operations by exposing the network of hacked computers.

“The FBI has a hammer and they’ve decided this is just another nail,” Guerrero-Saade said. “And I don’t think espionage operations should be handled the same way that criminal operations are.”

But the search warrant affidavit suggests that’s what the FBI has been doing since 2016.

The materials released by the government provide a very selective narrative both of the hacking group and the intervention:

May 4, 2023: Search warrant affidavit

May 8, 2023: Planned operation

May 9, 2023: DOJ Press release; NSA press release; Joint Cybersecurity Advisory

The narrative starts in 2004, when investigators first started tracking Turla, ignores a 2008 Turla compromise of DOD computers, only names one collection target (a journalist) that might be in the US, and only describes likely German and French collection targets in passing.

As the affidavit describes, the FBI’s understanding of Turla derived from both “sensitive sources” and the monitoring of victims.

[T]hrough existing legal authorities, the cooperation of several U.S. victims[,] and sensitive sources, the FBI and U.S. Intelligence Community have obtained significant insight into the FSB’s cyberespionage activities against the United States and its allies using Snake.

A key part of the affidavit’s narrative describes that monitoring process. The FBI discovered that Turla compromised computers at US Victim A in San Jose, which let the FBI monitor how the malware worked. Using US Victim A, Turla compromised US Victim B in Syracuse, which in turn let the FBI monitor what happened from there. Using both US Victims A and B, Turla compromised US Victim D in Columbia, SC, which in turn let the FBI monitor traffic. Using Victim B, Turla compromised US Victim C, in Boardman, OR, which in turn let the FBI monitor traffic.

Over seven years, then, the FBI has been monitoring communications traffic from a growing number of US victim companies that Turla used as nodes. The affidavit emphasizes that these sites were used to attack overseas targets — like the presumed German and French targets mentioned in the affidavit. Aside from the journalist working for a US outlet (who could be stationed overseas), the affidavit doesn’t mention any US collection targets. Nor does it explain whence Turla targets US collection targets.


2004: Investigation begins

2008: Turla compromises US military computer via thumb drive (not mentioned in affidavit)

2015 to 2017: FBI monitored communication between US-compromised computer and Minister of Foreign Affairs in NATO member-state, collected and decrypted

Turla operators used Snake in an attempt to exfiltrate a large volume of what they believed to be internal United Nations and NATO documents sent from the NATO Victim-1

By description — particularly the reference to what hackers thought they were getting — this is likely Germany, as described in this report on the group.

It was Tuesday, Dec. 19, 2017, when German security officials received the tipoff. A foreign intelligence service informed the Bundesnachrichtendienst (BND), Germany’s foreign intelligence service, that somebody had hacked into the IT system belonging to Germany’s Foreign Ministry.

[snip]

And the hackers hadn’t actually stolen all that much by the beginning of 2018 – a total of six documents, only one of which was classified. Nevertheless, the BSI decided to throw the hackers out of the network. A short time later, public prosecutors launched an official investigation into the cyberintrusion.

2016: After finding IP address in Queue File on computers belonging to US Victim A in San Jose, CA, victim permitted FBI to do custom scan and monitor communication traffic to ID other hop points and victims

2017: FBI provides victim notification of earlier version of Snake on US Victim E computers in Van Nuys, CA

2017 to 2020: FBI monitored communications between US-compromised computer and NATO Victim-2 (possibly France)

2018: EDNY grand jury seated

2018: FBI observed communications between US Victim A and computers in Syracuse, NY, owned by US Victim B and performed custom scan and monitored traffic

2018 to 2022: FBI identified traffic between US Victims A and B and computers in Columbia, SC owned by US Victim D; FBI performed a scan and monitored traffic

January 2020: FBI identified communication between US Victim B and cloud provider US Victim C in Boardman, OR; FBI performed custom scan and monitored ongoing traffic

2020 to 2021: FBI identified traffic between US Victim A and computer located in Hicksville, NY owned by US Victim F

2021 to 2022: FBI observes traffic between US Victims D and US Victim E; FBI provided custom scan but Victim E did not permit ongoing monitoring

2022: By the time FBI alerts US Victim E, it had ceased operation and discarded the computers

February to March 2022: FBI identified communication between US Victim A and computers in Gaithersburg, MD owned by US Victim G, which refused to cooperate with the FBI

nd: Turla used Snake to target journalist for US news media company (country location not stated)


As this timeline lays out, in the last two years, Turla exploited three US victim companies — US Victim E and G, both of which refused full cooperation, as well as the defunct one, US Victim F, in Hicksville, NY, that might be how EDNY would claim to establish venue if you ignore that that hack happened after the grand jury that conducted this investigation was seated in 2018 — from which the FBI was unable to get the kind of voluntary cooperation that US Victims A, B, C, and D offered. At first I mistakenly thought that FBI might have acted now because they were finding less success with the monitoring approach they’ve used since 2016.

But those computers are a different set (though possibly overlapping) than the set of computers targeted by this warrant. While Subject Computers 2 and 3 listed in the affidavit, both located in Columbia, SC, could be owned by US Victim D, US Victims E and G are not targeted. The additional targeted computers are located in Portland (Subject Computers 1 and 2), Atlanta (Subject Computer 4), Windsor, CT (Subject Computer 5), and Rancho Cordova, CA (Subject Computers 6, 7, and 8). If Subject Computers 2 and 3 do belong to US Victim D, including them might serve primarily to qualify this for remote search under 41(b)(6)(B) (which requires 5 districts).

For US purposes, the more important part of the operation may be parallel efforts done overseas. The affidavit suggests that the FBI will only execute the search within the US and foreign governments will only execute the search within their jurisdictions.

On or about May 8, 2023, the FBI, in coordination with certain foreign governments acting outside of the United States, intends to execute a technical operation, codenamed MEDUSA, to disable Snake malware on numerous computers worldwide. Specifically, at a chosen time, FBI personnel will use PERSEUS to authenticate and establish sessions with the Snake malware on the Subject Computers, and send to the Snake implants on the Subject Computers built-in commands that will terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the Subject Computers. At the same time that the FBI executes the remote search technique described in this Affidavit to disable the Snake malware on computers located in the United States, certain foreign government authorities will take action to remediate Snake-compromised computers within their territories.

The press release is a bit more vague about that (and there are probably nodes in countries that the US IC would not trust enough to coordinate such an operation).

For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance.

[snip]

The FBI and U.S. Department of State are also providing additional information to local authorities in countries where computers that have been targeted by the Snake malware have been located.

As the affidavit described it, the FBI used a Rule 41(b)(6)(B) warrant permitting the government to search remotely in more than one District at a time so as to allow for the simultaneous worldwide operation.

The FBI believes that use of the remote search technique described in this Affidavit is necessary to ensure the success of the coordinated technical operation to disrupt the Snake malware network worldwide. As detailed above, the Subject Computers are located in geographically disparate locations throughout the United States. There are not sufficient FBI personnel available who possess the specialized training and experience with the sophisticated Snake malware to physically travel to each location to disable the Snake malware on each of the Subject Computers simultaneously. Thus, without authorization to use the remote search technique requested in this Affidavit, the FBI would not be able to timely disable the Snake malware on the Subject Computers as part of a coordinated operation against the worldwide Snake network.

Whatever the case, the press release speaks in fairly expansive terms about neutralizing the entire network, not just some nodes in it.

To cycle back to Guerrero-Saade’s complaint, then, it seems that FBI has been monitoring this network for years. Indeed, one wonders how much of the roll-up of Russian spying in recent years has benefitted from doing so.

But it seems that the US and its partners decided they had the capability and the will to attempt to shut down this network now (at a time, it should be said, when Russia is ratcheting up attacks on Ukraine and in advance of Ukraine’s planned counterattack). Perhaps it is just part of the larger response rolled out in the wake of Russia’s attack on Ukraine.

image_print
28 replies
  1. Robot17 says:

    Any bets on the Feds and others having exhausted its Counter Intel value have decided to roll it up? They aren’t stupid after all. Guerrero-Saade thinks they should milk a mouse? My bet is the FBI looks at the network as stale bread.

      • Robot17 says:

        To wit: “We have been collectively investigating Snake and Snake-related tools for almost 20 years, as well as other operations by this unit since the 1990s. During that time, the FSB has used Snake in many different operations, and they have demonstrated the value placed in this tool by making numerous adjustments and revisions to keep it viable after repeated public disclosures and other mitigations.”

  2. obsessed says:

    Quick Off-Topic Question: Can Trump use the 5th Amendment or other legal maneuvers to stop his public statements about, for example, his handling of top secret documents, from being introduced in a trial? For example, can he say “I was lying and I wasn’t under oath” and prevent a jury from hearing his statements (for example on the CNN debacle)?

    • earlofhuntingdon says:

      Like you, Trump can assert his Fifth Amendment right not to incriminate himself when asked questions, whether in or out of court. He need not be arrested or under oath.

      Trump’s past public out-of-court statements, when it’s proven he made them, are matters of fact. They might be admissible at trial, for example, for a variety of purposes: the truth, state of mind, impeachment, etc. But he cannot assert a right he failed to assert when he made those public statements.

      • bmaz says:

        Any defendant can take the Fifth. Could such a statement be admitted over that? Yes, given the proper foundation and subject to Rule 403, maybe, but it is not a given.

    • Bill Crowder says:

      Statements against interest are by definition not hearsay. If satisfy relevance, etc., they are admissible.

      • bmaz says:

        That is just not right. Still needs to have proper foundation and exceed probative v. prejudicial standard. Please do not make people here stupid.

  3. Bobby Gladd says:

    I’m not a lawyer, but I would seriously doubt that. He wasn’t Mirandized before he went on stage. He’s not yet under any criminal indictment. And, a CNN Studio is not a precinct interrogation room. Not that he wouldn’t try to pull some crap like that, of course.

    • earlofhuntingdon says:

      Not relevant. Trump can assert his Fifth Amendment rights at any time to avoid answering a question in any forum. The context would determine the consequences. He needn’t have been arrested, or be under interrogation or under oath.

  4. The Old Redneck says:

    The short answer on the Trump statements is: no. Anything that bears on his credibility can be used against him. He can explain why he said it, whether he was lying, etc., but the bottom line is he can be confronted with his own statement. And anyway, trying to dispel the impact of your statements by saying you were lying to the world doesn’t make for the best optics.
    Even if he doesn’t testify in a criminal trial, the statement can still be admitted into evidence as long as someone who heard it testifies about it, or it’s captured on video.

      • bmaz says:

        Good grief, PLEASE make it stop. This is “defamation” about a criminal case for which both the criminal and civil statute of limitations should have expired nearly 25 years ago.

    • obsessed says:

      Thanks! And wow … his legal and political strategies seem hopelessly incompatible.

  5. Doctor My Eyes says:

    Since there’s been one off-topic discussion, may we indulge another? I’m not a lawyer, but I think like one, as my mother used to tell me. I haven’t seen the following thoughts anywhere, and it seems to me the most accurate way to think about the “debt ceiling crisis.” I would love to get feedback on this.

    I know it riles bmaz to hear talk of attempts to do a magical run-around on the constitution. I agree with that. The following way of looking at it makes clear to me that there is no possible constitutional solution for the executive. The problem is a constitutional crisis create entirely by Congress.

    The president is sworn to faithfully execute laws passed by Congress. What if Congress passed two laws one day: 1) Create a Charles Barkley Federal holiday and 2) DO NO CREATE any more federal holidays. How does the president faithfully execute both of these laws? Preventing the president from paying the US debt creates the same problem. Congress has passed laws previously, and today Congress is telling the executive not to spend the money necessary to execute those laws.

    Here’s where the 14th amendment comes in. The US cannot default on its debts. The legislative branch has required the executive to take specific actions which are known to cost predictable amounts of money. Inherent in the legislation is an understanding that the executive HAS THE DUTY to spend the money necessary to execute the law. If the government borrowed money to pay for this spending, then the 14th amendment obligates the government to repay that debt.

    Recently Laurence Tribe came close to this, but still failed to lay out the constitutional reality clearly enough. In his discussion, he mentions that SCOTUS has held that the president does not have a right to use a line veto, meaning the president cannot decide which programs to fund (laws to execute) and which programs to cut (laws to not execute). This is why’s Biden’s challenge to a reporter today, to tell him which programs Congress proposes to cut, is even more on point perhaps than the administration understands. That question amounts to asking congress to instruct the executive which laws not to faithfully execute.

    https://www.youtube.com/watch

    Btw, to fore-parry ad hominem responses, I have heard of Tribe but don’t know what he represents nor whether he’s an empty celebrity. I have been thinking this way since well before I heard Tribe’s thoughts. It struck me, though, because it’s the first time I’ve seen someone approach this thinking. As a culture, our failure to look at it in this fashion has roots in our having forgotten to think of the president’s choices in terms of constitutional duty rather than in terms of executive power. He really is supposed to be the servant of the people. The people have a duty not to assign him self-contradictory instructions.

    • Fran of the North says:

      Thanks for the link. A fascinating read. Unless I missed it here or there, no definitive statement on how many of the snake heads got cut off.

      Presumably they allowed the Perseus countermeasures to replicate throughout the ‘hundreds’ of infected hosts over time and lay dormant until an ‘execute’ order was given, and many if not most were disabled.

  6. WilliamOckham says:

    Looks like I’ve got some reading to do this weekend. Busy geeking out at the day job right now. This one looks like it might be as much fun as Stuxnet.

    • Rayne says:

      Turla’s stuff should probably be mapped against Stuxnet’s development and roll out. Have to wonder if they’d both watched it developed and then tiptoed around it out in the wild. That thumbdrive dropper… O_O

  7. WilliamOckham says:

    One quick note, this ought to have everyone reevaluating the FBI response to the Alfa Bank/Trump Tower/Spectrum story given what we know now. I don’t think there is any connection between Snake and that business. However, it would have been incredible malpractice not to have initiated an investigation of whether those servers were hop points for Snake. And, as far as I know, there was no investigation.

    • emptywheel says:

      I had a slightly different take.

      I wonder whether FBI/NSA used some of the DNS work that Rodney Joffe was doing to track Snake, and the focus on it was an attempt to undermine that.

      I’m mindful that one of the things that Jake Appelbaum focused on in his dissertation was DNS lookups, as if that’s a special kind of spying. It really was never a focus of the Snowden releases, but given that Jake likely was involved in the front end of the Snowden releases, I wonder whether it was a goal of it.

  8. AirportCat says:

    I just love the title of this post. And kudos to the FBI for sending Perseus after the snakes. Well played.

  9. vigetnovus says:

    Agree 100%. Who’s to say the initial investigation wasn’t ultimately shut down because it was too overt, and a covert national security investigation opened in its stead?

    Also, along the “relay point” line, I wonder if Snake was ultimately a better way to communicate within the US by covert actors without the NSA being able to hoover up the communications. In addition, if preponderance of the nodes were within the US and friendly allies (esp. FYVEY or NATO networks), that also could be a way to disguise threat actors comms among “friendly” traffic, and could have been a glaring deficiency in any EO 12333 surveillance net.

Comments are closed.