back to top

    Prof. Piotr Grochmalski: A Monumental Setback for Putin in the Realm of Cyber Warfare

    On the day of the Defilade on Red Square, 9 May 2023, Putin received information that froze him. Soon the whole world learned about something that was one of the FSB’s most closely guarded secrets.

    This bloody conflict also has a hidden dimension of Russia’s information war against the West. Part of it is the cyber-attacks undertaken by Putin’s services against the world. It is no less brutal and ruthless. It involves not only the destruction of democratic state institutions but also the destruction of their infrastructure and the theft of information resources. The impending Ukrainian offensive is causing growing anxiety in the Kremlin. Sergei Naryshkin, Alexander Botrnikov and Igor Kostyukov, the heads of Russia’s main services, have been tasked with acquiring data to decipher Kyiv’s intentions. And the US, as part of a new $1.2bn tranche of support, is providing Ukraine with an extensive package of satellite imaging services to enhance operational planning in the final phase of preparations for the offensive. At this exact moment, Russia has suffered a gigantic defeat. Its most important cyber-espionage tool – the Snake malware – was effectively destroyed by The Five Eyes, an intelligence alliance of five countries – the US, Great Britain, Canada, Australia and New Zealand. 

    “We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country,”

    the authors of this document state.

    It is no coincidence that at exactly the moment when Russia is in desperate need of strong agent support from the FSB, its system painstakingly built under Putin’s auspices, almost from the beginning of his rule in the Kremlin, was shattered. “Snake” was the most sophisticated spy software. It was created by Centre 16 of Russia’s Federal Security Service (Military Unit 71330).

    Preparing for cyber-warfare

    Putin’s inner circle quickly recognised that one of the most effective areas to wage covert, asymmetric, war against the West would be digital infrastructure. Former KGB general Nikolai Patrushev, now a key member of the Kremlin’s war party as head of the FSB, ordered work on ‘Snake’.

    Already at the end of 2003, the first working version of this software – then called ‘Urobus’ – was created. It was already used for the first time in early 2004. After a series of failures and subsequent modifications, the super-efficient espionage tool ‘Snake’ was created, allowing for the long-term collection of intelligence information of crucial importance to the Kremlin. To carry out operations using this tool, the FSB created a covert peer-to-peer (P2P) network involving hundreds of thousands of Snake-infected computers around the world. Many of the systems in this P2P network served as relay nodes that directed covert operational traffic, on final targets set by the FSB. Snake’s customised communication protocols used encryption and fragmentation to maintain the confidentiality of operations and make illegal data collection more difficult to detect. Its versions were adapted to run on Windows, macOS and Linux operating systems. The main base of operations from which operations using ‘Snake’ were conducted was located at the FSB facility in Ryazan, but they were also supported by operations conducted from the building occupied by FSB Centre 16 in Moscow. US Attorney General Merrick Garland made an unannounced trip to Lviv on Friday 5 May 2023 at the invitation of Ukrainian Prosecutor General Andriy Kostin. In addition to final talks on the transfer of some conflated Russian assets to Ukraine (which was finally announced on 10 May), the subject of spyware was also addressed. 

    Four days later, on 9 May, Garland stated that “the Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies.” 


    According to Sergey Gatlan, author of Bleeping Computer – a US-based cyber-security website – the operation to destroy the Snake software was successful. As he notes, “With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool, named PERSEUS, that establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer.”

    As a report by the US Cyber Security and Infrastructure Agency (CISA), established in 2018, reveals, the code for the Snake programme and related tools formed the basis for a range of other digital tools prepared and deployed by Military Unit 71330 and used by Russian services including the Carbon programme (aka Cobra) – derived from the Snake code base – and Chinch (now known in open sources as ComRAT). According to the National Security Office of Slovakia (NBU), between 2012 and 2017, Military Unit 71330 was behind a global espionage operation involving supply chains. Its activities during this period included infiltration and control of various systems in more than 380 corporations in 138 countries (including companies in Slovakia). These were mainly companies in the energy industry, including oil refineries, electricity distribution networks and systems, and nuclear power plants.

    Putin’s cyber war against the US

    Russian hackers were already engaged in a regular cyber war with the US even before the aggression against Ukraine. Joe Biden took the presidential office in January 2021, just after a cyber-attack, gigantic in scale, whose main target was the US. The blow was inflicted on entire segments of the state structure responsible for security. On 3 December 2020, it was revealed that hackers had used a SolarWinds software update to attack 300,000 organisations in the Western world. The attack not only targeted almost all major US corporations but also the core of US government agencies. The hackers hit the Departments of State, Treasury, Homeland Security and also the Pentagon. The scale of the attack was shocking. The blow was inflicted not only on the heart of the American state but also on hundreds of thousands of technology companies, the telecommunications industry, the consulting industry and the global oil and gas sector (SolarWinds software is also used by Polish state structures). According to US analysts, Russia was behind the largest cyber-espionage attack in history at the time.

    The main purpose of the aggression was not only to paralyse vast swathes of Western business and civilian infrastructure but also to acquire vast amounts of intelligence. The scale of the losses incurred, in the insurance industry alone, exceeded USD 80 billion. According to estimates, 80 per cent of the identified victims were based in the United States. The others were mainly corporations from Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates. Biden’s team was shocked by the vulnerability of the US state to the digital hit. The new president, in his very first days in office, promised to strengthen the US’s cyber defences against its enemies. But then came another spectacular blow. Hackers, using a ransomware attack, shut down the Colonial Pipeline, which handles 45 per cent of the East Coast’s fuel supply, on 7 May 2021, and on 30 May 2021 the JBS corporation fell victim. This crippled the production of all US plants linked to this world’s largest beef producer, which is based in Brazil. All of this showed how vulnerable the global internet economy, which includes e-commerce of over 26 trillion dollars, was.

    Digital ‘Pearl Halbor’

    Most public opinion in the West before Russia’s aggression in Ukraine was unaware of the scale of the Kremlin’s aggressive attacks on Western digital systems. But experts were sounding the alarm that Russia was escalating its cyber warfare and increasingly balking at delivering a blow to US critical infrastructure, after which Washington would be forced to go to war with the Russian Federation. Many of Biden’s advisers have argued that the situation is so critical that he must send a clear message to the Kremlin. US Newsweek Magazine journalists Tom O’Connor, Naveed Jamali and Fred Guterl, referring to the historical tipping point that caused the US to enter World War II in December 1941, noted in June 2021 that “at least Japanese leaders knew that bombing Pearl Harbor would inevitably provoke a military response. It’s not clear that Russia or the cyber-militants operating within its borders have that awareness now.”

    “The recent attacks seem to mark an intensification. They tend to be more focused on physical infrastructure like food, oil and gas pipelines, and hospitals, upon which Americans rely every day for their health and economic well-being. The trend has national security analysts worried,”

    they also warned

    Indeed, they are so dangerous to the US that any further one could cross the ‘red line’ that marks the foundations of national security and trigger a US military response. As early as 2016, Admiral James Stavridis, former commander of NATO troops in Europe, warned in an interview with CNBC that the US was being threatened by a “digital Pearl Harbour.” He believed that the US should respond to the actions of Russian hackers. Therefore, after Putin’s aggression against Ukraine, the US dramatically accelerated its work to deal a crushing blow to its covert cyber warfare with Russia. This occurred on 9 May 2023 when Putin was receiving the Victory Defilade in Red Square.

    ➡️ Read also this text in Polish here

    More in section