In a significant move against Russian cyber espionage, the FBI announced on Tuesday that it had disrupted a network of computers that had been hacked by Russian spies. This operation had been used for years to steal sensitive information from at least 50 countries, including NATO governments. This development seems to have dealt a major blow to Russia’s domestic intelligence service, the FSB, which is alleged to have used the sophisticated hacking tool to infiltrate US and Western diplomatic and military agencies over the last two decades.
The action taken by the Justice Department is the latest in its efforts to aggressively target foreign spying and criminal rings. The FBI used a court order on Monday to sever the Russian’s access to the network of US computers that were being used by the hackers. The hackers had used this network to transport the stolen information across the globe and back to Russia.
The FBI operation and US public advisories on the hacking tool make it “difficult and untenable” for the FSB to effectively use it again, a senior FBI official announced in a call with reporters on Tuesday. The FSB operatives had, for instance, used the hacking tool to “access and exfiltrate sensitive international relations documents, as well as other diplomatic communications” from an unnamed NATO country, according to the US and its “Five Eyes” allies in an advisory issued on Tuesday.
The FBI’s target, the Russian hacking group known as Turla, is widely considered by experts to be one of the most elite cyber-espionage units in the Russian intelligence services. Turla has been associated with significant breaches of US military networks in the mid-to-late 1990s and a hack of US Central Command in 2008. In recent years, the group has been observed infiltrating the networks of foreign ministries and parliaments in Eastern Europe to collect intelligence on Russian adversaries.
Notably, Turla has also capitalized on the work of other spy agencies. In 2018, the group hijacked an Iranian hacking tool to gain access to the network of an unnamed Middle Eastern government.
The disruption of this complex network, victimized by the “Snake” malware, marks a significant and direct action by the U.S. Government against Turla. The malware network was leveraged in sophisticated campaigns to collect strategic intelligence, particularly from government offices, military organizations, and the energy sector.
The Turla operatives, described by Juan Andres Guerrero-Saade, a researcher who has tracked Turla for years, as “genuine professionals,” have generally maintained a low profile. Turla’s reputation as one of the Kremlin’s premier hacking teams has led to private researchers and journalists attempting to track the hackers down. A 2022 investigation traced some Turla operations to an FSB-connected company in Ryazan, Russia.
While the FBI’s move is lauded as another step in its strategy to protect hacking victims, some experts, including Guerrero-Saade, have expressed concerns about the visibility the FBI might have lost into Turla’s operations by exposing the network of hacked computers.
Despite the blow to UROBUROS, Turla’s diverse toolkit indicates that the FSB-linked group will likely continue to evolve and modify other tools for use in espionage campaigns. The ongoing saga of international cyber espionage continues, with the battlefield ever-shifting, and the players continuously adapting their tactics in this high-stakes game of global security.