A few years ago, I wrote a short piece about how a joint U.S.-U.K. disclosure about Turla operations targeting OilRig resources represented a nifty piece of offensive counterintelligence. Given today’s multi-lateral reporting on, and disruption of, Turla’s Snake malware, I felt a sequel was in order.
While I can’t necessarily offer the same level of exegesis on this case, there are some transferable lessons to start with. Such as: this likely represents the last twist of the knife in an extended counterintelligence effort against Turla. Such as: that said twist of the knife likely only occurred after every last drop of value was squeezed out of the U.S. government’s apparent ability to clandestinely compromise the integrity of Snake infections and infrastructure dating back years (see points 21, 23–26, 41, 44–50). Such as: that the timing of the disruption operation (aka MEDUSA) is important, given it was scheduled for 8 May and Russia celebrates Victory Day on 9 May.
In terms of analysis more specifically applicable to this case, let’s start by putting it in perspective alongside the earlier Turla/OilRig disclosure. Compared to 2019, the Five Eyes (FVEY) intelligence alliance now apparently feels comfortable attributing Turla — via Snake specifically — to Center 16 of the Federal Security Service of the Russian Federation (FSB). This is the second operational element that the U.S. has attributed to Center 16 in as many years. And while the activity attributed in 2022 was significantly more historical and is described in the MEDUSA affidavit (page 8, footnote 1) as an operational element distinct from Turla within Center 16, those indictments form part of the broader constellation of acknowledged actions taken against the FSB’s cyber operations enterprise in recent years.
Here is where I go into <<<Angleton Mode>>> and speculate (wildly?) about the particular intention behind what is shaping up to be — in my eyes — a multi-year degradation campaign, formal or ad hoc, against Center 16. What message is the United States and FVEY alliance are trying to send to the Russians today? My guess:
“We have been watching your Snake operations for years, but it’s up to you to figure out how many. We clearly have watched, and siphoned from, your collection during that time. We also have likely interfered in that collection without you knowing it. Anything particularly juicy you got from that collection is something you now must eye with suspicion. Are you wondering what else we’ve got into over the last decade? Did the CI investigation into how we pulled off the visibility enabling our 2019 disclosure even wrap up yet? Are you ready for the absolute migraine of CI scrutiny and internal investigations you’re about to endure behind what we did today, all while you go through a whole new set of tool and access development cycles? We know you’re looking at this as conspiratorially as possible because you’re Chekists and that’s how you think; if you could, this is something you’d like to do to us but we’re doing it to you and we’re doing it out in the open because — and we cannot stress this enough — fuck you. Hope you feel confident about the integrity of whatever you field next, boyos.”
It is also worth keeping in mind that the information released today almost certainly doesn’t represent the totality of FVEY knowledge or capabilities associated with this case. More than likely, we’ve been treated to what could be published without putting sources, methods, and other ongoing operations at risk. So the totality of imposed effects likely extends beyond the specific instances cited publicly. Furthermore, that ambiguity may be intended to cast greater doubt in the minds of the FSB about precisely what the U.S. and its partners accomplished up until now or could accomplish in the future with regard to penetration of Russian operations. That would account for the fact that if you are going to burn an adversary service like this, you have to understand not only how the burned element reacts but how the element tasked to investigate the burning will react.
As I drafted this, Michael van Landingham pointed out that I may be overestimating how introspective the FSB might be about this whole thing given its general shift in organizational culture post-2014 towards a Global War on Terror-esque focus on battlefield support in arenas like Ukraine and elsewhere. Andrei Soldatov and Irina Borogan have also written about the growing, likely-related disregard for exposure exhibited by the Russian Intelligence Services in recent years.
So, I may be wrong. I may be crazy. But this just might be the lunacy FVEY’s been looking for. Who’s to say?
Post-script : For a more expert perspective on how these events likely affect Turla in the broader context (versus my CI-focused take above), check out this Twitter thread.
