Law enforcement personnel had to surreptitiously develop their own cyber-infrastructure to interact with and disrupt the malware, which the Russians were constantly updating and changing, the officials said.
The U.S. government, which coordinated its investigative activities with foreign governments, also had to time the execution of the search warrant to access the compromised computers simultaneously to keep the Russians from reacting and thwarting the operation.
The law enforcement officials said they believe their actions this week will make it difficult for Russia to continuing operating this spying network.
The Russian Embassy in Washington did not immediately respond to a request for comment.
“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyber-espionage tools, used for two decades to advance Russia’s authoritarian objectives,” Deputy Attorney General Lisa Monaco said in a news release.
FBI officials said the malware, known as “Snake,” was developed and operated by the Federal Security Service, the Russian government’s main security agency, which uses the acronym FSB.
The Russians allegedly used the malware to steal sensitive information from computer systems in at least 50 countries, including members of the NATO alliance, and to spy on journalists and other Russian “targets of interest,” the officials said. Russian officials allegedly would steal the materials and route them through U.S. computers that had been infected with malware to try to avoid detection.
The U.S. government launched “Operation Medusa” — named for the Greek mythological figure known for having venomous snakes on her head instead of hair — to covertly disable Snake, officials said. The FBI did this by creating a cyber-tool called “Perseus,” which essentially used coding to demand that the Snake malware overwrote itself. Perseus is the Greek hero known for killing Medusa.
“Today, Snake is the FSB’s premier long-term cyberespionage malware implant,” said an FBI affidavit in support of a search warrant that was unsealed this week in the Eastern District of New York. “Most importantly, the worldwide collection of compromised computers acts as a covert peer-to-peer network, which utilizes customized communication protocols designed to hamper monitoring and collection efforts by adversary signals intelligence services.”
The investigation included asking a New York judge for permission to remotely access computers in multiple jurisdictions and then remotely seize data stored in these computers to counteract the Russian malware.
U.S. officials have used this law allowing remote access, known as Rule 41, to take down other foreign cyberespionage operations.