The Snake, The FBI, And Center 16: Why The Takedown Of A ‘Most Sophisticated Cyber-Espionage Tool’ Is Important – Analysis
By RFE RL
By Mike Eckel
(RFE/RL) — For more than a decade, a unique bit of malicious computer code was burrowed in the deepest corners of Internet servers in more than 50 countries, secretly gathering data and even records of what a person might be typing on a keyboard. Important information was extracted and covertly sent via a network of other infected computers, hiding its tracks from easy detection, back to the code’s creators.
Called various names — Snake, Uroburos, Venomous Bear — the malware was suspected in a damaging hack of Germany’s Foreign Ministry in 2017. NATO computers were reportedly compromised. The personal computer of a journalist who worked for a U.S. news organization and reported on the Russian government was reportedly targeted.
This week, authorities in the United States, Britain, Canada, and two other countries announced they had effectively unplugged the malware, disrupting a powerful surveillance tool that, they said, had been developed by Center 16, a cutting-edge cyber-unit of Russia’s main intelligence agency, the Federal Security Service (FSB).
Snake was “the most sophisticated cyber-espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets,” the U.S. government’s cyber-agency said.
The developers of the malware “were really good,” said Paul Rascagneres, an IT security researcher who was among the first to identify Snake in 2014. “The design and the malware architecture was extremely advanced, with security bypasses that were not documented at this time…. It was serious code developed by a serious team.”
Adam Myers, head of intelligence at the U.S. cybersecurity company Crowdstrike, says the decision by the U.S. government and partner agencies in the other countries to release so much information on the FSB unit, as well as arcane details of the code and programming behind the malware, was meant to send a message.
“What it represents is the [U.S.] government is taking a more proactive stance on this stuff…which has been around for more than a decade,” Myers said. “It’s a signal to the Russian government, to the Russian intelligence services, and to say, ‘We see you and we know what you’re doing, and if it suits us, we will disrupt you at the time and place of our choosing.'”
In court filings unsealed the same day as the announcement, the Justice Department said that the espionage campaign was “very consequential,” and that the hackers had stolen sensitive documents from NATO countries.
The FSB had no comment on the allegations.
‘Inside Jokes, Personal Interests, And Taunts’
Russia’s intelligence and security agencies have overlapping, sometimes competing cyber-operations. Some of the most destructive known cyberweapons — Sandworm and NotPetya, for example — have been developed by Russia’s military intelligence agency, known as the GRU. That agency, and another called the Foreign Intelligence Service (SVR), has been accused in the hacking of U.S. political campaigns in 2016.
The FSB has two known cyber-units. The first, Center 18, or the Center for Information Security, was roiled by a major treason scandal in 2019.
The other is Center 16, formally known as the Center for Radio-Electronic Intelligence by Means of Communication, or Military Unit 71330, which oversees the FSB’s signals intelligence capabilities, including intercepting communications, decryption, and data processing.
According to an FBI affidavit unsealed on May 9, Snake was first developed in 2003 or 2004 by Center 16, and early versions included an image of an ancient symbol called an Uroboros — also spelled Ouroboros — in which a dragon or snake is shown eating its own tail. Some of the code also included the string “Ur0bUr()sGoTyOu#”— in which the word “uroboros” is partly visible. The FBI said it was identifying the FSB unit by the name Turla.
“Snake has been a core component of this unit’s operations for almost as long as Center 16 has been part of the FSB,” the affidavit said.
“In terms of general persistent activity of this team/group/unit they have been probably the more active and professional one, in contrast to other operations employed by the [Russian] military for example,” Michael Sandee, a researcher with Fox-IT, a Dutch digital forensics company, said in an e-mail.
“It’s a super complex piece of malware,” Crowdstrike’s Myers said.
FSB coders who developed early versions of the malware often peppered their work with “inside jokes, personal interests, and taunts directed at security researchers” — a common practice among coders and programmers. Those remained identifiable as the malware evolved, the FBI said, “which have assisted the U.S. government in attributing the Snake malware to the FSB.”
In one instance, according to the FBI, the “Ur0bUr()sGoTyOu#” string was replaced with the string “gLASs D1cK” in 2014 after cyber-researchers began publicizing the Snake or Uroburos malware.
Investigators said they were also able to home in on an FSB remote location, in the city of Ryazan, southeast of Moscow, with FSB programmers doing much of their work during regular working hours.
U.S. officials said they had been monitoring Turla and Snake-related variations of the malware for nearly two decades. British officials, meanwhile, said last year that Center 16 had been “observed conducting cyber-operations since at least 2010.”
Beginning in 2015, the FBI said, it monitored data stolen by Snake and other encrypted communications, involving the Foreign Ministry of a “NATO-member state.” A similar monitoring effort took place between 2017 and 2020, the FBI said, involving the government of “another NATO-member state.”
Neither country is identified by the FBI or the other security agencies that partnered with the FBI. However, sometime beginning around 2015, Germany was hit by a monthslong, massively damaging hack that targeted its parliament, its Foreign Ministry, energy infrastructure, and other agencies.
In 2018, Germany’s domestic intelligence agency, the BfV, called the hackers “exceptionally dangerous.”
In 2019, U.S. and British security agencies issued an advisory warning of a hacking campaign overseen by Turla that targeted computers in at least 35 countries, mainly in the Middle East.
The FBI also said it had determined that FSB hackers “used Snake malware to target the personal computer of a journalist for a U.S. news media company who has reported on the government of the Russian Federation.”
Neither the journalist nor the news organization is identified.
British intelligence also said Center 16 had conducted hacking and other cyber-operations targeting Russian dissidents, political opponents, and Russian citizens.
In its affidavit, the FBI said officials delayed notifying people with compromised computers so that researchers could coordinate the effort to unplug, or disrupt, Snake without the FSB interfering. The effort was called Operation Medusa.
“Were Turla to become aware of Operation Medusa before its successful execution, Turla could use the Snake malware on the subject computers and other Snake-compromised systems around the world to monitor the execution of the operation to learn how the FBI and other governments were able to disable the Snake malware and harden Snake’s defenses,” FBI agent Taylor Forry wrote.
The U.S. Justice Department targeted Center 16 previously: in a 2021 indictment that was unsealed in March 2022, accusing three FSB officers of using spear-phishing attacks — fake e-mails that trick a recipient into clicking on a malware link — that targeted more than 3,300 users at more than 500 U.S. and international companies.
They also targeted U.S. government agencies such as the Nuclear Regulatory Commission, U.S. authorities said.
A separate indictment targeted a programmer who worked for an institute under the Russian Defense Ministry. That man, Yevgeny Gladkikh, allegedly used a type of highly powerful malware known as Triton to hack a petrochemical plant in 2017.
Center 16 operatives have also turned up in other locations outside of Russia. One, Aleksei Ivanenko, worked under diplomatic cover in Croatia until April 2022, when Croatian authorities announced they were expelling him along with 23 other diplomats and support staff.
According to a leaked database of Russian government records reviewed by RFE/RL, Ivanenko worked as an “engineer” for Center 16, prior to being sent to Croatia.
Cyber-experts were divided on whether the effort would cause lasting damage to Center 16’s operations.
“It is unlikely to really cause much lasting disruption to the intelligence-gathering operation long-term, but probably a bit annoying for the Russians in the short term, as they lose some access and need to reestablish,” Fox-IT’s Sandee said. “I think it is more of a distraction than anything else, and simply done to do something, rather than nothing, if you catch my drift.”
In the absence of Snake malware, the FSB Center 16 hackers most likely have other cybertools that they’ve developed and could deploy.
“I don’t want to take away from the overall value of this effort by U.S. government,” Myers said, but he added that the FSB had “other tools…. They have an whole arsenal of malware and tools and this is one of them.
“It stings a bit, but they’re not out of business, they’re not looking for new jobs,” he said.
“But it has a big impact on them,” Rascagneres said in an e-mail. “Replacing everything, losing access on infected systems. It costs a lot. They need to reinfect the targets, deploy new malware, pivot in the targeted network.”
“The process of compromising a sensitive target takes weeks/months of work,” he said.
- Mike Eckel is a senior correspondent reporting on political and economic developments in Russia, Ukraine, and around the former Soviet Union, as well as news involving cybercrime and espionage. He’s reported on the ground on Russia’s invasion of Ukraine, the wars in Chechnya and Georgia, and the 2004 Beslan hostage crisis, as well as the annexation of Crimea in 2014.