The FBI announced Tuesday that it has disrupted a network of hacked computers that Russian spies have used for years to steal sensitive information from at least 50 countries, including NATO governments.
The action appears to be a major blow to Russia’s domestic intelligence service, the FSB, which has allegedly used the sophisticated hacking tool to infiltrate US and Western diplomatic and military agencies for nearly two decades. It’s the latest move by the Justice Department to more aggressively target foreign spying and criminal rings using custom-built FBI tools.
The FBI used a court order on Monday to cut off the Russians access to the network of computers in the US that the hackers were using to spirit the stolen information around the world and back to Russia, US officials said. The FBI operation and US public advisories on the hacking tool would make it “difficult or and untenable” for the FSB to effectively use it again, a senior FBI official said in a call with reporters Tuesday.
FSB operatives, for example, used the hacking tool to “access and exfiltrate sensitive international relations documents, as well as other diplomatic communications” from an unnamed NATO country, the US and its “Five Eyes” allies said in an advisory on Tuesday.
The Russian Embassy in Washington did not immediately respond to a request for comment.
The Russian hacking group that the FBI targeted, known as Turla, is widely believed by experts to be one of the most elite cyber-espionage units in the Russian intelligence services. Turla’s tools are associated with a big breach of US military networks in the mid-to-late 1990s and a hack of US Central Command in 2008.
In recent years, the hackers have been observed burrowing into the networks of foreign ministries and parliaments in Eastern Europe to collect intelligence on Russian adversaries.
The Russian group has also exploited the work of other spy agencies. In 2018, Turla hijacked an Iranian hacking tool to gain access to the network of an unnamed Middle Eastern government, according to researchers.
Turla operatives are “genuine professionals,” Juan Andres Guerrero-Saade, a researcher who has tracked Turla for years, told CNN.
“They’re not traipsing around breaking things or calling attention to themselves in stupid ways,” said Guerrero-Saade, who is senior director of SentinelLabs, the research arm of security firm SentinelOne. He said that’s what you’d “expect from the GRU,” referring to Russia’s military intelligence agency, whose hackers are generally more conspicuous. “You don’t see that out of Turla.”
Turla’s reputation as one of the Kremlin’s premier hacking teams has inspired private researchers and journalists to track the hackers down.
A 2022 investigation by German public broadcaster Bayerische Rundfunk traced some Turla operations to an FSB-connected company in the Russian city of Ryazan, about 120 miles southeast of Moscow. The US and allies’ advisory confirmed that daily Turla hacking operations occur at an FSB facility in Ryazan.
While the FBI touted the action as another example of the bureau’s strategy to protect hacking victims, Guerrero-Saade wondered what visibility the FBI might have lost into Turla’s operations by exposing the network of hacked computers.
“The FBI has a hammer and they’ve decided this is just another nail,” Guerrero-Saade said. “And I don’t think espionage operations should be handled the same way that criminal operations are.”