US says it disrupted malware used by Russian spies to steal documents

US authorities have disabled malware allegedly used by Russia’s spy agency to steal sensitive documents for two decades across dozens of countries, including Nato member governments.

The US Department of Justice on Tuesday said the malicious software had been deployed for nearly 20 years by a unit in Russia’s Federal Security Service to misappropriate material from hundreds of computer systems in at least 50 countries linked to journalists and Nato member states.

“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes,” Breon Peace, US attorney for the Eastern District of New York, said in a statement.

The malware, called “Snake”, remains the “most sophisticated long-term cyberespionage malware implant” deployed by the FSB unit in question, known as Turla, the DoJ said.

“Turla is a Russian cyber espionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s, and focused on the classic targets of espionage — government, military and the defence sector,” said John Hultquist, head of Mandiant Intelligence Analysis, which is owned by Google.

While some of Turla’s work had previously been exposed in a handful of incidents going back to the early 2000s, “these events are outweighed by a breadth of activity that goes unnoticed”, he said. “Turla is focused heavily on operational security and stealth, and to that end they have consistently innovated.”

The collection of infected computers worldwide created a “covert peer-to-peer network” that obstructed monitoring from adversary intelligence services, according to an affidavit filed by an FBI agent. The network also bolstered the computers’ ability to move large amounts of data surreptitiously and communicate among each other. “Snake” compromised devices “indefinitely”, at times for years despite efforts to tackle the malware, the agent added.

During its probe of “Snake”, the FBI discovered that Turla used the malware to steal what were “believed to be” internal UN and Nato documents from a computer linked to the ministry of foreign affairs of a Nato member state, according to the affidavit.

The FSB unit also allegedly used the software on a personal computer of a journalist who had reported on the Russian government for a US news media company.

The FBI detailed a complex operation to first test a technical means to disrupt the hold that “Snake” had on a few computers in the US, and then expand that to the potentially thousands of computers that had been infected with the malware around the world.

Nicknamed Operation Medusa, riffing off the recurring use of an Uroboros motif — an image of a snake eating its own tail — by the coders at the FSB, the FBI appears to have tricked the malware into confusing instructions from the FBI with instructions from its operators or from similarly infected hosts, according to the affidavit.

The commands, sent via a bespoke FBI-program called Perseus — who in Greek mythology slew Medusa — essentially caused the malware to self-destruct, and is easily replicable at scale.

Merrick Garland, US attorney-general, said: “We will continue to strengthen our collective defences against the Russian regime’s destabilising efforts to undermine the security of the United States and our allies”.

The disruption comes in the wake of several co-ordinated actions by US authorities into Russia-linked spying and criminal networks, including the use of complex math to track down the owners of Bitcoin wallets receiving ransomware payments. In January, authorities infiltrated a ransomware group and provided its decryption keys to victims.

The Russian embassy in the US did not immediately respond to a request for comment.