Snake’s takedown, irksome commercial surveillance and a federal data breach

Timothy Dykes / Unsplash

Welcome to Changelog for 5/14/23, published by Synack—and Happy Mother’s Day! Nathaniel Mott here with the week’s security news.


The payload

The FBI and its partners are taking a victory lap this week.

A group including the FBI, NSA, Cyber Command, the Cybersecurity and Infrastructure Security Agency and “six other intelligence and cybersecurity agencies from each of the Five Eyes member nations” announced the disruption of the Snake malware the Federal Security Service of the Russian Federation (FSB) has been working on since 2003.

The U.S. Department of Justice said the shutdown came about via Operation Medusa, through which the agencies “disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.”

CISA also published a security advisory related to the Snake malware. The advisory explains what the Five Eyes members know about Snake’s development and deployment in addition to providing information organizations can use to hunt for the malware on their own networks. (Though it seems at least some of the agency’s guidance is flawed.)

Shutting down Snake is only part of the West’s victory this week. Publicly revealing so much about the malware’s history—and directly attributing it to the FSB—was more about sending a message to Russia than about tooting the FBI’s horn. Perhaps we’ll see similarly comprehensive actions taken against other Russian cyber operations in the future, though the U.S. could stand to tone down the Greek mythological references next time.

The week, compiled

It’s no secret that much of the tech industry depends on collecting, selling and buying data. (“If you aren’t the customer, you’re the product,” as the old saying goes.) Now a Bloomberg Businessweek report has revealed how a company called Rayzone Group “is using information intended for marketers to help authorities track people through their mobile phones.”

Rayzone reportedly purchases real-time data from ad exchanges, including the Google-owned Authorized Buyers, for use in a surveillance tool called Echo. “Echo is among the first known commercially available surveillance systems to exploit advertising data this way, according to industry experts,” the report stated. “Rayzone positions the product as an all-seeing technology that’s more or less impossible to avoid or disable.”

Nick Fewings / Unsplash

Echo also relies on data “from other companies that trade in location and other information gathered from mobile phones,” Bloomberg Businessweek said. In addition to supplying Echo with information, this advertising-focused market has reportedly given companies like Rayzone a way to hawk their wares without the same level of scrutiny as better-known spyware vendors like, say, the beleaguered NSO Group.

There are ways to limit the amount of information the surveillance economy can gather about you, but companies often find workarounds. Without strict regulations—and subsequent enforcement of these rules—firms like Rayzone are all but guaranteed to take advantage of the largest data collection apparatus to date. Why develop sophisticated malware that relies on costly vulnerabilities and exploits when you can just buy the data?

Also last week:

Reuters: The U.S. Department of Transportation is investigating a data breach of its TRANServe transit benefits systems that affected the personal information of nearly a quarter million current and former U.S. government employees. DOT said no transportation safety systems suffered impacts, though it’s freezing access to the benefits program.

Rapid7: Microsoft’s Patch Tuesday updates for May included fixes related to 49 vulnerabilities, including three actively exploited zero-days and five vulns that can be exploited to gain remote code execution. Additional information is available via the Microsoft Security Response Center.

TechCrunch: Health record software maker NextGen Healthcare revealed this week that the “names, dates of birth, addresses and Social Security numbers” of more than 1 million people were compromised when an unknown threat actor gained access to an internal system in March.

SecurityWeek: A former Ubiquiti employee, Nickolas Sharp, has been sentenced to six years in prison and told to pay $1.5 million in restitution following his attempt to extort the networking company for approximately $1.9 million worth of Bitcoin (50 tokens) in early 2021.

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

The Guardian ran a feature this week titled, “On the trail of the Dark Avenger: the most dangerous virus writer in the world.” It’s centered on the author of at least 14 viruses that started to spread around the globe in the late ’80s—starting with the malicious Eddie payload.

Eddie was mostly dormant… until the 16th time it was run, according to The Guardian, which said the virus then “overwrote a random section of the disk in the computer with its calling card: ‘Eddie lives … somewhere in time.’” (This supposedly means that “Dark Avenger had invented what are now called ‘data diddling’ viruses — viruses that alter data in files”—though I’ve never heard the phrase “data diddling” in polite company.)

The Guardian’s report doesn’t have a satisfying ending. Dark Avenger remains uncaught, so anyone hoping they would pay for Eddie’s sins was disappointed. But the report offers a fascinating glimpse at the virus writing scene in Bulgaria as well as the relationship between those virus writers and the people hoping to stop them.

Local files

KOBI5: Curry County, Oregon declared a state of emergency on Thursday due to a ransomware attack, with commissioner Brad Alcorn reportedly saying “there’s no email access, historical documents are gone and any online data or documents are unreachable.” The attack is believed to have been carried out by the Royal group that recently targeted Dallas, Texas.

The Register: The PEGA Committee finalized its report on spyware usage in the EU on Monday, saying the malware has been used “to intimidate political opposition, silence critical media and manipulate elections” by Hungary, Poland and several other countries throughout the EU.

BleepingComputer: Food distribution juggernaut Sysco recently said that an unknown “threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data,” particularly in the U.S. and Canada, earlier this year.


Surprise! I’ve been playing The Legend of Zelda: Tears of the Kingdom.

I’m not going to talk about how good the game is; plenty of other people have already done that. But I do want to say how much returning to Hyrule feels like going home—even though I haven’t played Breath of the Wild all that much since making my way through the game on its release.

Eugene Chystiakov / Unsplash

A lot has changed between Breath of the Wild and Tears of the Kingdom. Not even gameplay-wise. Just… everything. Since Breath of the Wild’s release we’ve gone through a pandemic, an insurrection and so many other life-changing events that it’s hard to believe it’s only been about six years.

This return to Zelda feels good. It’s not quite as appropriately timed as Animal Crossing: New Horizons was, since that life sim came right as much of the world went into lockdown, but I’m glad Tears of the Kingdom is here. Now, if you’ll excuse me, I have some Korok seeds to find.

That’s all for now — please send any feedback to or We’ll be back next Sunday!