How spies took down Putin’s most insidious weapon against the West
“A real war is being waged against our motherland!” Vladimir Putin boomed at crowds in Moscow’s Red Square this week. Yet even as his armoured cars and military trucks rolled across the cobbles in the annual Victory Day Parade, Western cyber experts were delivering the Russian leader a gift to remember.
The Snake malicious software (malware) network, used by Russia’s FSB spy agency, was knocked offline by the West’s Five Eyes espionage alliance on Tuesday in a multinational swoop codenamed Operation Medusa.
Their takedown has disabled a vital Kremlin tool for interfering in Western elections, disrupting businesses and gathering intelligence on Moscow’s enemies – ending a two-decade-long cyber spying campaign that indiscriminately targeted businesses and Western governments alike.
Paul Chichester, the National Cyber Security Centre’s director of operations, describes Snake as “a highly sophisticated espionage tool used by Russian cyber actors, adding that Op Medusa helped expose the tactics and techniques being used against targets that his US counterparts claim included Nato governments and countless corporations.
A spokesman for Canada’s Communications Security Establishment says: “This collective effort to counter Snake and Snake related tools has been ongoing for almost 20 years as the threat actor has adapted and adjusted their malware to keep it viable after repeated public disclosures and mitigation measures.”
In a landmark piece of cooperation between the West’s five pre-eminent cyber powers – Australia, Britain, Canada, New Zealand and the US – the networks of computers used to control Snake’s central piece of malware were kicked off the internet, effectively rendering Russian operatives blind.
In public documents, Western intelligence authorities describe Snake being deployed in an insidious and years-long campaign against the interests of global democracy.
The FSB used it to steal sensitive diplomatic documents from one Nato country, while also targeting financial services, critical manufacturers and media organisations across the free world. The personal computer of an unnamed journalist at a US media company was also infected.
John Hultquist, head of Google-owned Mandiant Intelligence Analysis, adds that at one point the FSB used Snake to eavesdrop on an Iranian hacking campaign, quietly helping themselves to information being stolen from a Western organisation even as the Iranians congratulated themselves on pulling off an intelligence coup.
Experts agree that Snake is one of the most insidious tools of its kind. Hultquist describes the cyber campaign as “one that we’ve known for the longest” as well as being “probably one of the slipperiest and most difficult to track”.
“They’ve been targeting the UK for a very long time,” says Hultquist.
“They’ve had a lot of operations there in my experience. But, you know, there’s operations in Ukraine right now, there’s operations throughout Europe”.
“There’s really no better time to blind their intelligence collectors than then when they need it most,” he continues, referring to Russia’s defence against Ukraine’s long-awaited military counteroffensive.
Putin’s military might on full display in this month’s Victory Day parade. But Russia’s main weapon against the West is its hacking prowess CREDIT: M24/Moscow News Agency via AP
Snake’s direct origins lie in 2003, when FSB computer experts began developing a piece of custom malware codenamed Ouroboros by their Western counterparts.
That system was eventually deployed against the West in 2008, when a USB drive loaded with malicious software was picked up and inserted into a computer by a curious American soldier in the Middle East.
The resulting cascade of virus infections took the US military 14 months to completely eradicate from its networks, with desperate commanders even resorting to a blanket ban on USB sticks.
Created and maintained by a Russian unit known variously as Centre 16 or Unit 71330, the malware was so powerful that even FSB personnel at their base in Ryazan, 130 miles south-east of Moscow, struggled to use it properly.
“Our investigations have identified examples of FSB operators … who appeared to be unfamiliar with Snake’s more advanced capabilities,” FBI prosecutors told US federal courts.
But even as the Russians grappled with Snake, US spies were keeping tabs on activity at the Centre 16 buildings from where the espionage tool was deployed and learning its weaknesses.
The culmination of Operation Medusa was an FBI technique to “overwrite vital components of the Snake malware without affecting any legitimate applications or files” on infected machines, wiping the Russian program from each computer in one fell swoop.
Chester Wisniewski, chief technical officer for applied research at the cyber security company Sophos, says it took the Russians “years and years to develop Snake” and that its loss will hit Putin’s spies hard.
‘Only weeks of breathing space’
The UK’s National Cyber Security Centre, part of GCHQ (pictured), worked with the FBI and security forces from New Zealand, Australia and Canada to dismantle Snake CREDIT: CREDIT: Barry Batchelor/PA
The story of the system’s collapse sheds new light on the shadowy battle taking place between rival governments online.
FBI intelligence operatives developed a way of secretly tracking how Snake was able to infect target computers and quietly ping its Russian operators to tell them a freshly compromised computer was available for their use.
Using this technique, the FBI mapped out not only Snake’s victims but the all-important command-and-control network that gave the software its venom.
Professor Alan Woodward, a cyber security expert from the University of Surrey, says Snake’s technical features made it extremely difficult for the West to track down its weak spots. Yet the Russians made crucial mistakes that helped cyber experts cut off the Snake’s heads.
Woodward explains that Snake uses a common piece of software called OpenSSL to help encrypt its web traffic so that it is hard for prying eyes to decode. However, an error by a user meant the West’s spies were able to break through this protection.
“Someone used this function incorrectly and established [encryption] keys that were not strong enough to withstand known attacks,” he says.
“Hence, the law enforcement agencies were able to see exactly how it was operating and [identify] the ultimate recipients of the data being stolen.
“They left some pointers for investigators, such as keywords and function names… It’s easily done when you’re in a hurry but it’s not a fundamental flaw of Snake.”
For all the West’s congratulatory back-slapping at this week’s takedown, however, experts all agree that the takedown is a temporary setback and not a permanent victory.
Don Smith, of cyber security company Secureworks, estimates that Snake might be back online within weeks. Sophos’ Wisniewski and Mandiant’s Hultquist both give it months at most.
All compare the malware’s operations with cyber crime networks of the sort that their respective companies track – and all expect that the FSB will soon resurrect its beheaded Snake.
“This was a victory for the cat,” says Wisniewski, “but the mice are wily – and they’re breeding fast”./telegraph/