How Washington Beheaded Snake, the "Rolls" of Russian FSB Cyber Spies

It had been haunting the nights of the counterintelligence services of the United States and its allies for more than twenty years. Snake, a malware presented as the main cyberespionage tool of the Russian FSB, has been put out of harm's way, the FBI said Tuesday, May 9.

"The Department of Justice, in collaboration with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct its cyber espionage campaigns, including against our NATO allies," Merrick Garland, the US attorney general, said in a statement.

Medusa vs. Snake

This operation coordinated by the FBI nicknamed "Medusa" made it possible to identify thousands of computers spied remotely by the FSB thanks to Snake, and this in fifty countries.

This malware works "like a digital implant that is installed on the targeted computer system and allows remote control," says Benoît Grunemwald, cybersecurity expert for the Slovak company Eset.

But not just any digital "implant". The FSB has had 20 years to perfect and update it to keep – at least so far – one step ahead of other countries' counterintelligence services. "When its existence was revealed to the general public in 2014, we realized that it had already been deployed in 43 countries for years and that it was, for the time, a real Rolls-Royce of state spyware," said Pierre Delcher, cybersecurity researcher for the Russian company Kaspersky.

At the time, a real revelation for part of the cyber community: a state actor - the link with the FSB had not yet been established - had a significant head start in transforming cyberspace into a huge playground for spies.

Military Unit Centrepiece 71330

Already in 2013, Snake represented "one of the most sophisticated malware in the world," according to the FBI. "His main strength has been and still is his stealth," says Benoît Grunemwald. It is virtually undetectable on the computers it infects and blends seamlessly into legitimate programs. In addition, "it is very successful in jamming its communications with remote operators when it sends the information retrieved from the victims' computers," says Pierre Delcher.

Assets that made Snake the centerpiece of FSB military unit 71330. This hacker cell, under the direct direction of the Kremlin's spymasters, uses it to target important targets.

This is how Snake allowed the FSB to spy on several embassies of NATO countries, state administrations in a dozen states, media groups in the United States, but also companies in the pharmaceutical or energy sectors.

No wonder, then, that intelligence agencies around the world have been conducting a vast hunt for the Snake for the past decade. "They have already succeeded, on several occasions, in discovering and countering operations carried out with Snake, but without ever neutralizing him entirely," said Gérôme Billois, cybersecurity expert for Wavestone.

The difference this time is that the "Medusa" operation has "disabled part of the infrastructures that allow the use of this spyware," says Gerôme Billois. In other words, the authorities have neutralized a large part of the Snake network.

To achieve this, they made Snake bite his tail. The FBI and its partners took control of infected computers from which programs to disable this network were sent to servers controlled by Russian spies. "It's a bit like they asked Snake to self-destruct," says Gérôme Billois.

Warning to Moscow

This is a blow for the FSB, but it should be able to recover, according to experts interviewed by France 24. "They may have lost part of the infrastructure and an important tool, but there have been no arrests, which means that the FSB still has the brains that operated on it," said Gérôme Billois.

There is no doubt that these cyberespionage aces will get to work to get their network back on its feet. "This operation will probably slow down espionage campaigns against important targets for months," Grunemwald said.

The FSB probably has other assets in its hood. "It's been at least ten years that this actor knows that everyone is trying to neutralize this threat, he has had time to work on alternatives," notes Pierre Delcher.

Finally, "this victory of the FBI and its allies will not grant huge operational advantages over Russia," says Gerôme Billois. But the important thing may be elsewhere: "If Washington chose to inflict a snub on Moscow's spies the day after the May 9 celebrations in Moscow [Editor's note: the national holiday that marks the victory of the Soviets over Nazi Germany in 1945], it is probably not trivial," recalls this expert.

In the midst of the war in Ukraine, it is a way for Washington to make Russia understand that the United States is capable "in a completely legal way [it obtained judicial warrants to carry out each step of Operation Medusa", editor's note] and thanks to international collaboration to understand and master the most sophisticated tool in the arsenal of Russian cyber-spies", concludes Pierre Delcher. This operation actually signals to Moscow that even the FSB's most secret secrets are not secret to Washington's big ears.

The summary of the week France 24 invites you to look back on the news that marked the week

I subscribe

Take international news with you everywhere! Download the France 24 app