US-led ‘Five Eyes’ alliance dismantled Russia’s ‘premier espionage cyber-tool’

May 11, 2023 by 3 Comments

Computer hackingAN ESPIONAGE TOOL DESCRIBED by Western officials as the most advanced in the Russian cyber-arsenal has been neutralized after a 20-year operation by intelligence agencies in the United States, Australia, Canada, the United Kingdom and New Zealand. The operation targeted Turla, a hacker group that cyber-security experts have long associated with the Russian government.

Turla is believed to be made up of officers from Center 16, a signals intelligence unit of Russia’s Federal Security Service (FSB), one of the Soviet-era KGB’s successor agencies. Since its appearance in 2003, Turla has used a highly sophisticated malware dubbed ‘Snake’ to infect thousands of computer systems in over 50 countries around the world. Turla’s victims include highly sensitive government computer networks in the United States, including those of the Department of Defense, the National Aeronautics and Space Administration, and the United States Central Command.

The Snake malware has also been found in computers of privately owned firms, especially those belonging to various critical infrastructure sectors, such as financial services, government facilities, electronics manufacturing, telecommunications and healthcare. For over two decades, the Snake malware used thousands of compromised computers throughout the West as nodes in complex peer-to-peer networks. By siphoning information through these networks, the Turla hackers were able to mask the location from where they launched their attacks.

On Tuesday, however, the United States Department of Justice announced that the Federal Bureau of Investigation (FBI), along with its counterparts in the United States-led ‘Five Eyes’ intelligence-sharing alliance, had managed to dismantle Snake. This effort, codenamed Operation MEDUSA, was reportedly launched nearly 20 years ago with the goal of neutralizing the Snake malware. In the process, Five Eyes cyber-defense experts managed to locate Turla’s facilities in Moscow, as well as in Ryazan, an industrial center located about 120 miles southeast of the Russian capital.

The complex cyber-defense operation culminated with the development of an anti-malware tool that the FBI dubbed PERSEUS. According to the Department of Justice’s announcement, PERSEUS was designed to impersonate the Turla operators of Snake. In doing so, it was able to take over Snake’s command-and-control functions. Essentially, PERSEUS hacked into Snake and instructed the malware to self-delete from the computers it had compromised. As of this week, therefore, the worldwide peer-to-peer network that Snake had painstakingly created over two decades, has ceased to exist, as has Snake itself.

Author: Joseph Fitsanakis | Date: 11 May 2023 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , ,

Russian government cyber spies ‘hid behind Iranian hacker group’

October 22, 2019 by Leave a comment

Computer hackingRussian hackers hijacked an Iranian cyber espionage group and used its infrastructure to launch attacks, hoping that their victims would blame Iran, according to British and American intelligence officials. The information, released on Monday, concerns a Russian cyber espionage group termed “Turla” by European cyber security experts.

Turla is believed to operate under the command of Russia’s Federal Security Service (FSB), and has been linked to at least 30 attacks on industry and government facilities since 2017. Since February of 2018, Turla is believed to have successfully carried out cyber espionage operations in 20 different countries. Most of the group’s targets are located in the Middle East, but it has also been connected to cyber espionage operations in the United States and the United Kingdom.

On Monday, officials from Britain’s Government Communications Headquarters (GCHQ) and America’s National Security Agency (NSA) said Turla had hijacked the attack infrastructure of an Iranian cyber espionage group. The group has been named by cyber security researchers as Advanced Persistent Threat (APT) 34, and is thought to carry out operations under the direction of the Iranian government.

The officials said there was no evidence that APT34 was aware that some of its operations had been taken over by Turla. Instead, Russian hackers stealthily hijacked APT34’s command-and-control systems and used its resources —including computers, servers and malicious codes— to attack targets without APT34’s knowledge. They also accessed the computer systems of APT34’s prior targets. In doing so, Turla hackers masqueraded as APT34 operatives, thus resorting to a practice that is commonly referred to as ‘fourth party collection’, according to British and American officials.

The purpose of Monday’s announcement was to raise awareness about state-sponsored computer hacking among industry and government leaders, said the officials. They also wanted to demonstrate the complexity of cyber attack attribution in today’s computer security landscape. However, “we want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them”, said Paul Chichester, a senior GCHQ official.

Author: Joseph Fitsanakis | Date: 22 October 2019 | Permalink

Filed under A specialized intelligence website written by experts, since 2008 Tagged with , , , , , , , , ,