The United States Department of Justice (DOJ) announced on May 9 that through a court-approved counterespionage action, it has disrupted a network of malware that Russia’s Federal Security Service (FSB), the successor to the former Soviet Union’s KGB, inserted into computer systems.
The malware has been used for almost 20 years to spy on and steal sensitive information from governments and individuals in at least 50 countries, including the United States and other nations in the North Atlantic Treaty Organization (NATO).
Operation MEDUSA, the code name for the U.S. government operation, used a cybertool called “PERSEUS,” developed by the FBI, which essentially commanded the Russian malware “Snake” to disable itself by overwriting its own critical and essential components.
U.S. Magistrate Judge Cheryl L. Pollak of the Eastern District of New York signed off on the search warrant, which allowed the Biden administration to domestically launch Operation MEDUSA and employ PERSEUS to counterattack the Russian malware.
“The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyberespionage, including against our NATO allies,” said U.S. Attorney General Merrick Garland. “We will continue to strengthen our collective defenses against the Russian regime’s destabilizing efforts to undermine the security of the United States and our allies.”
Michael J. Driscoll, assistant director in charge of the FBI’s New York field office, added: “The operation we announced today successfully disrupted the foremost cyberespionage tool of the Russian government. For two decades, the malware allowed Russian Intelligence to compromise computer systems and steal sensitive information—harming not only the United States Government and our allies but also private sector organizations.”
Cyberespionage and attacks are a fundamental tool of the Russian government. It uses them to steal intelligence from and attack public and private computers and networks, deny service and access to information, damage electronic infrastructure, disrupt state alliances, spread disinformation, and stifle and subdue political and social activity.
Russia partners with cybercriminals and cybergangs to conduct cyberaggression.
Russian propaganda outlets encourage cyberattacks against entities they deem as enemies of Russia. In its invasion of Ukraine, Russia has deployed extensive cyberattacks but with limited success.
On the same day that the Justice Department announced Operation MEDUSA, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a broad-ranging release on growing Russian cyberthreats to American infrastructure.
As described in the statement, motivating the Russian cyberassault is the financial stress it is suffering because of its war with Ukraine. It also seeks to punish the United States and its allies for supporting Ukraine.
CISA noted in the release that the FSB “has conducted malicious cyberoperations targeting the energy sector, including U.K. and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. FSB has been known to task criminal hackers for espionage-focused cyberactivity; these same hackers have separately been responsible for disruptive ransomware and phishing campaigns.”
The Justice Department noted in its announcement that while Operation MEDUSA shut down the Snake malware on infected computers, those who had systems infiltrated by Snake should perform extra diligence and care to ensure that their networks are protected.
DOJ explained that Operation MEDUSA “did not patch any vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks.”
