How Spies Destroyed Putin’s Most Insidious Weapon Against the West
“A real war is being waged against our Motherland!” Vladimir Putin was booming with crowds on Red Square in Moscow this week. But even as his armored cars and military trucks rolled down the cobblestones in the annual Victory Day Parade, Western cyber experts presented the Russian leader with a gift to remember.
The malicious software (malware) snake network created by the Russian spy agency FSB wwhen it was taken offline by the Five Eyes spy alliance of the West on Tuesday in a multinational swoop codenamed Operation Medusa.
Their dismantling has disabled a key Kremlin tool for interfering in Western elections, disrupting corporations, and gathering intelligence on Moscow’s enemies — ending a two-decade cyber-espionage campaign that has indiscriminately targeted corporations and Western governments alike took aim.
Paul Chichester, the National Cyber Security Center’s operations director, describes Snake as “a sophisticated espionage tool used by Russian cyber actors, adding that Op Medusa helped uncover the tactics and techniques used against targets.” which his US colleagues claim are used by NATO governments and countless companies.
A spokesperson for Canada’s Communications Security Establishment says: “This collective effort to combat Snake and Snake-related tools has been going on for almost 20 years as the attacker adapted and customized their malware to keep it working after repeated public disclosures and mitigations. “
In a groundbreaking collaboration between the West’s five preeminent cyber powers – Australia, UK, Canada, New Zealand and the US – the computer networks used to control Snake’s core malware were blasted off the internet, effectively eliminating Russian agents blind.
In public documents, Western intelligence agencies describe Snake as being used in an insidious campaign against the interests of global democracy that has lasted for years.
The FSB used it to steal sensitive diplomatic documents from a NATO country while targeting financial services, major manufacturers and media organizations across the free world. The PC of an unnamed journalist from a US media company was also infected.
John Hultquist, head of Google’s proprietary Mandiant Intelligence Analysis, adds that the FSB once used Snake to eavesdrop on an Iranian hacking campaign, quietly taking advantage of information being stolen from a Western organization, even though the Iranians congratulated himself on the secret service coup.
Experts agree that Snake is one of the most insidious tools of its kind. Hultquist describes the cyber campaign as “one we’ve known about the longest” and “probably one of the most salacious and difficult to track.”
“They’ve had their sights set on Britain for a very long time,” says Hultquist.
“In my experience, a lot of surgeries were done there. But you know, there are operations in Ukraine right now, there are operations all over Europe.”
“There really is no better time to blind their intelligence collectors than when they need it most,” he continues, referring to Russia’s defenses against Ukraine’s long-awaited military counteroffensive.
Snake’s direct origins date back to 2003, when FSB computer experts started developing a custom malware codenamed Ouroboros from their western counterparts.
This system was finally used against the West in 2008 when a curious American soldier in the Middle East snatched up a USB drive loaded with malicious software and plugged it into a computer.
The resulting cascade of virus infections took 14 months to completely remove the US military from its networks, with desperate commanders even resorting to a blanket ban on USB flash drives.
The malware was developed and maintained by a Russian entity called Center 16 or Unit 71330. It was so powerful that even FSB personnel at its base in Ryazan, 130 miles southeast of Moscow, had trouble using it properly.
“Our investigation has identified examples of FSB personnel … who appear unfamiliar with Snake’s more advanced capabilities,” FBI prosecutors said in US federal courts.
But even as the Russians struggled with Snake, US spies monitored activity at the Center 16 buildings from which the spy tool was deployed and learned of its weaknesses.
The culmination of Operation Medusa was an FBI technique to “overwrite vital components of the Snake malware without affecting legitimate applications or files” on infected computers, deleting the Russian program from every computer in one fell swoop.
Chester Wisniewski, chief technical officer for applied research at cybersecurity firm Sophos, says it took Russians “years and years to develop Snake” and that its loss will hit Putin’s spies hard.
“Only weeks air to breathe”
The story of the system’s collapse sheds new light on the shadowy struggle between rival governments on the Internet.
FBI Secret Service operatives devised a method to covertly track how Snake was able to infect target computers and covertly ping its Russian operators to let them know that a freshly compromised computer was available for their use.
Using this technique, the FBI was able to locate not only Snake’s victims, but also the all-important command and control network that gave the software its poison.
Professor Alan Woodward, a cybersecurity expert from the University of Surrey, says Snake’s technical characteristics made it extremely difficult for the West to track down its vulnerabilities. But the Russians made crucial mistakes that helped cyber experts chop off the snake’s heads.
Woodward explains that Snake uses popular software called OpenSSL to encrypt its web traffic, making it difficult for prying eyes to decrypt. However, a user error meant that the spies of the West were able to breach this protection.
“Someone misused and set up this feature [encryption] Keys that weren’t strong enough to withstand known attacks,” he says.
“As a result, law enforcement could see exactly how it works and [identify] the final recipients of the stolen data.
“They left some clues for the investigators, like keywords and function names… It’s easy to do when you’re in a hurry, but it’s not a fundamental flaw on Snake’s part.”
Despite the West’s laudatory pats on the back for this week’s power struggle, all experts agree that the power struggle is a temporary setback and not a lasting victory.
Don Smith of cybersecurity firm Secureworks estimates that Snake could be back online within weeks. Wisniewski from Sophos and Hultquist from Mandiant are both only available for months.
All comparing the malware’s operations to cybercrime networks as they track their respective companies – and all anticipating that the FSB will soon bring its decapitated snake back to life.
“That was a victory for the cat,” says Wisniewski, “but the mice are smart – and they reproduce quickly.”
Expand your horizons with award-winning British journalism. Try The Telegraph for free for a month, then enjoy our US exclusive offer for just $9 for a year.