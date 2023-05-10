Comment on this story Comment Gift Article Share

With ‘Operation Medusa,’ U.S. cyber officials cut off the head of Russia’s ‘Snake’ hacking campaign

The Justice Department announced on Tuesday that it disrupted Russian government cyberespionage malware that has infected targets in at least 50 countries. The U.S. government had been investigating it for more than 20 years.

On the same day, a coalition of U.S. and U.S.-allied cyber agencies released technical details on the malware, known as Snake, to help industry and governments to shut it down.

Advertisement

It’s the latest in a series of increasingly frequent disruption operations the United States has conducted, but this might be the most formidable target to date. Court documents attribute the cyberespionage campaign to Turla, a hacking group that’s a unit of Russia’s Federal Security Service (FSB). Turla is regarded as one of the world’s most savviest and persistent hacking groups.

“For 20 years, the FSB has relied on the Snake malware to conduct cyberespionage against the United States and our allies — that ends today,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s national security division.

How it went down

My colleague Perry Stein has the details on the disruption operation:

“According to federal officials, law enforcement personnel had to surreptitiously develop their own cyberinfrastructure to interact with and disrupt the malware, which the Russians were constantly updating and changing,” Perry wrote

“The U.S. government, which coordinated its investigative activities with foreign governments, also had to time the execution of the search warrant to access the compromised computers simultaneously to keep the Russians from reacting and thwarting the operation.”

“The U.S. government launched ‘Operation Medusa’ to covertly disable Snake, officials said. The FBI did this by creating a cybertool called ‘Perseus,’ which essentially used coding to demand that the Snake malware overwrote itself.”

German public broadcasters BR and WDR last year uncovered clues about Turla that led them to a company in the Russian city of Ryazan, and court documents said the U.S. government has been monitoring FSB officers assigned to Turla there. The Justice Department also worked with international agencies on the operation.

Advertisement

The separate joint alert from world cyber agencies details the scope of Snake’s reach.

“We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself,” it reads.

“Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.”

The idea of the alert is to help industry and governments identify Snake and remove it.

“Snake infrastructure has spread around the world,” said Rob Joyce, the National Security Agency’s director of cybersecurity. “The technical details will help many organizations find and shut down the malware globally.”

The disruption operation was the second for U.S. law enforcement in as many days, following the seizure of domains affiliated with 13 distributed denial-of-service, for-hire services used to disable websites.

Industry response

Cyber organizations that have been tracking Turla for years had a mostly positive response to the disruption operation.

Advertisement

“Operation MEDUSA, and others like it, highlight the importance of public/private collaboration and threat intelligence information sharing in the global effort to take down sophisticated cyber adversarial groups,” Adam Meyers, head of intelligence for CrowdStrike, said via email.

In reference to the Ukraine war, John Hultquist, vice president of Mandiant Threat Intelligence, tweeted: “This disruption will be temporary, but there’s a war on, and there's never a better time to disrupt the enemy's intelligence apparatus [than] when they are trying to make better decisions to get off the back foot.”

But at least one industry expert was skeptical about disrupting cyberespionage operations, given the chance of losing valuable information on the groups.

“The FBI has a hammer and they’ve decided this is just another nail,” Juan Andres Guerrero-Saade — senior director of SentinelLabs, the research arm of security firm SentinelOne — told CNN’s Sean Lyngaas. “And I don’t think espionage operations should be handled the same way that criminal operations are.”

The keys

E.U. proposing stricter cybersecurity label rules for major cloud-computing providers outside Europe

A proposed law would declare that major cloud providers outside Europe that try to get an E.U. label permitting them to handle sensitive data would only be able to do so under a joint venture with an E.U. company, Foo Yun Chee reports for Reuters.

Advertisement

“U.S. tech giants and others involved in the joint venture can only have a minority stake, and employees that have access to EU data would have to undergo specific screening and have to be located in the 27-country bloc,” the report said, citing an E.U. draft document first seen by Reuters.

The proposal comes from the European Union Agency for Cybersecurity (ENISA) and concerns an E.U. certification scheme “that would vouch for the cybersecurity of cloud services and determine how governments and companies in the bloc select a vendor for their business,” Yun Chee writes.

The document says that the proposed rules would apply to both personal and non-personal data “of particular sensitivity” in which the breach adversely affects public order, safety, human life, health or intellectual property.

Industry groups argue it would put U.S. cloud providers on unequal footing in the bloc, while regulators claim that such laws are necessary for data protection, the report said.

The draft will be reviewed later this month, followed by adoption of a final rule.

Dallas restores core emergency systems following ransomware attack

Dallas restored critical services following outages caused by a ransomware attack last week, Matt Kapko reports for Cybersecurity Dive.

Advertisement

Kapko writes: “The Dallas Police Department and city’s websites are back online as of Sunday, Bill Zielinski , CIO for the City of Dallas, said during a city council public safety committee meeting.”

The city’s computer-aided dispatch system remains offline as court and trials have been paused since last week.

Additionally, the city’s IT department has almost finished a review of 1,900 mobile devices in police and fire vehicles. Upon completion, “we’ll have full and complete dispatch capability to where we have moved wholly away from the manual operations,” Zielinski said.

The city continues to explore options to remediate the incident reportedly caused by an offshoot of the Conti ransomware group.

The ransomware attack reportedly prevented investigators from obtaining police call information on the suspect in a mass killing over the weekend, demonstrating how such attacks pose risks to public health and safety

Iran-sponsored hackers exploiting vulnerability in PaperCut print management software

Iranian-linked hackers have been targeting a patched vulnerability in printing software PaperCut that allows unauthenticated users to enter a system and freely run code with full system privileges, Ionut Arghire reports for SecurityWeek, citing research from Microsoft.

Advertisement

“In late April, PaperCut urged customers to update their installations as soon as possible, raising the alarm on the first attacks targeting the vulnerability, while endpoint and response security firm Huntress warned that most PaperCut MF/NG deployments were unpatched,” Arghire writes.

The Iran state-sponsored attackers have leveraged publicly available code to carry out attacks, the report said.

“As more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface,” Microsoft said.

Government scan

Industry report

Global cyberspace

Advertisement

Cyber insecurity

Daybook

Federal IT leaders speak at GIST23 at the International Spy Museum beginning at 8:30 a.m.

ICS Village kicks off its two-day Hack the Capitol event featuring CISA Director Jen Easterly and other cyber officials beginning at 9 a.m.

The House Agriculture Committee holds a hearing on cryptocurrency regulation at 9:30 a.m.

NIST Director Laurie Locascio testifies to the House Science, Space, and Technology Committee about the agency’s fiscal year 2024 budget at 10 a.m.

The House Oversight Committee convenes a hearing on legacy IT systems at 2 p.m.

Secure log off

Thanks for reading. See you tomorrow.

GiftOutline Gift Article