FBI Disarms Russian FSB Snake Malware Network

Operation Medusa disabled Turlas Snake malware with an FBI-created tool called Perseus.

The US Department of Justice announced it has pulled off a joint operation code-named Medusa that decimated a long-standing malware operation run by the Federal Security Service of the Russian Federation (FSB).
For nearly 20 years, threat group Turla, operating inside the FSBs notorious Center 16, used Snake malware to steal secrets from North Atlantic Treaty Organization (NATO)-member governments, according to an announcement from the US Attorneys Office in the Eastern District of New York.
Following compromise of target government systems, Turla would exfiltrate sensitive data through a network of compromised machines spread throughout the US and beyond to make detection harder, the DoJ said.
The
FBI developed a tool named Perseus
, which was able to successfully command components of the Snake malware to overwrite itself on compromised systems, the DoJ added.
For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies — that ends today, Assistant Attorney General Matthew G. Olsen of the Justice Departments National Security Division said in the statement. The Justice Department will use every weapon in our arsenal to combat Russia’s malicious cyber activity, including neutralizing malware through high-tech operations, making innovate use of legal authorities, and working with international allies and private sector partners to amplify our collective impact.”
Court documents show US authorities have been investigating Snake malware for nearly all of its two decades of existence and had officers assigned to monitor Turlas activities from a Known FSB facility in Ryzan, Russia, the Eastern District of New York announcement of
operation Medusa
added.
Likewise, threat hunters including Kevin Mandia have been tracking Turlas activities for many years, according John Hultquist, head of Mandiant intelligence analysis for Google Cloud.
Turla is a Russian cyber-espionage actor and one of the oldest intrusion groups we track, existing in some form as early as the 1990s when Kevin Mandia was responding to their intrusions into government and the defense industry, Hultquist remarked in a statement provided to Dark Reading,
citing Mandiants CEO and founder Mandia.
They are focused on the classic targets of espionage — government, military, and the defense sector, and their activity is characterized by a reliably quiet assault on these targets that rarely draws attention to themselves.
There have been occasional high-profile Turla operations, he noted like the Agent.BTZ incident in the early 2000s, and
the Moonlight Maze activity
in the 90s, but these events are outweighed by a breadth of activity that goes unnoticed.
This year,
Turla was observed
by Mandiant using command-and-control servers from 10-year-old malware Andromeda to target and spy on Ukrainian systems.
And just last month, another threat group, Tomiris was observed by Kaspersky researchers using
Turlas Snake malware
.
Under similar circumstances, nation-state threat actors like Turla would have burned the Snake backdoor framework long ago and innovated something new, Frank van Oeveren, manager of threat intelligence & security research at Fox-IT, part of NCC Group, said in a statement provided to Dark Reading.
“But Snake itself is sophisticated and well put together, which shows how much time and money was spent in developing the framework,” van Oeveren added. We think its quite likely Snake was detected in 50 countries – with NATO, their allies and other independent states, the list with possible targets gets quite extensive.
Turla, by van Oeverens estimation, is creative and should not be underestimated, despite the Snake malware setback.
Turla will most likely continue with a different framework, but its always a surprise what the group will do, he said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FBI Disarms Russian FSB Snake Malware Network