The FBI has used a court order to cut off hackers’ access to a network of US computers used to infiltrate diplomatic and military agencies of 50 Nato countries and allies for over 20 years.

The FBI operation and US public advisories said it would now be “difficult or/and untenable” for Russia’s domestic intelligence service (FSB) to effectively use it again. 

The news is the latest on a series of actions taken by US authorities to crack down on foreign spying and criminal rings using custom-built FBI tools.

“We assess this as being their premier espionage tool,” one of the US officials told journalists. He said Washington hoped the operation would “eradicate it from the virtual battlefield.”

The malware, known as Snake, was said to have been designed by a notorious hacking group tracked by the private sector, named Turla. This is widely believed by experts to be one of the most elite cyber-espionage units in the Russian intelligence service.

The group’s tools have been associated with a big breach of US military networks in the mid-to-late 1990s and a hack of US Central Command in 2008.

FSB operatives were said to have used the hacking tool to “access and exfiltrate sensitive international relations documents, as well as other diplomatic communications” from an unnamed Nato country, officials revealed.

“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes.  Meeting the challenge of cyber espionage requires creativity and a willingness to use all lawful means to protect our nation and our allies,” stated United States attorney Breon Peace. 

The operation to disrupt  Turla’s Snake malware was named Operation Medusa. The FBI and its partners identified where the hacking tool had been deployed across the internet and built a unique software payload to disrupt the hackers’ infrastructure.

The FBI relied on existing search warrant authorities to remotely access the Russian malicious program within victim networks in the US and sever its connections.

“The extremely important thing to understand here is that systems that were compromised may still hold other tools for persistence, and credentials may have been infiltrated,” said Martin Jartelius, CSO at Outpost24.

“To make reinfections harder it is important to maintain a multi-layer defence using key elements such as multi-factor authentication and vulnerability management to prevent initial infections and testing one’s detection capabilities emulating real threats using an internal or external red team that allows testing one’s assumptions regarding security measures.”

Last month, UK Cabinet Office minister Oliver Dowden warn that the country is facing “ideologically motivated” cyber threats from Russia-aligned groups. 

The minister stressed that over the last 18 months, the UK has seen an increase in activity from several Russia-aligned groups sympathetic to Putin’s invasion of Ukraine. Described as “the cyber equivalent of the Wagner group”, these actors have expanded their targets beyond Ukraine and begun focusing on its allies, including Britain, with a view to destroying the country’s critical infrastructure. 

Earlier this year, Royal Mail suffered a ransomware attack that affected its computer systems and disrupted its services. The attack was claimed by LockBit, a hacker group with close links to Russia.