NSA And FBI Warn Of Russian Linux Malware

Uploaded on 2020-08-17 in INTELLIGENCE--International, GOVERNMENT-National, GOVERNMENT-Law Enforcement, FREE TO VIEW, INTELLIGENCE-Hot Spots-Russia, TECHNOLOGY--Hackers

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information and execute malicious commands. 

In the report, which is unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that has gone undetected until recently. 

The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

The US government agencies say that Drovorub, targets Linux systems. It says that the malware was developed for a Russian military unit enabling it to cyber-espionage hacks and attacks. The malware comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers.

The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. 

According to the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware represents a threat to national security systems that use Linux. “Drovorub is a Linux malware toolkit consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to the joint report by the FBI and NSA.  “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”

The report does not detail how the initial attack vector for the malware occurs. The report also does not specify how long the malware has been in action, or how many companies may have been targeted, and whether any attacks have been successful. Neither does it specify that the malware initially infects victims either.

It does say the threat actor behind the malware uses a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.”

The name “Drovorub” is derived from a variety of artifacts discovered in Drovorub files, used by the threat actors themselves, and translated, means “woodcutter” or “to split wood.” Drovorub, refers to a malware suite of four separate components that include an agent, client, server and kernel module. When deployed on a victim’s machine, the Drovorub client is first installed, and then provides the capability for direct communications with an actor-controlled command-and-control (C2) infrastructure.

When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection. 

Once a client is in contact with the attacker controlled server, it then uses an agent component to receive commands. Those commands can trigger file download and upload capabilities, execution of arbitrary commands such as “root,” and port forwarding of network traffic to other hosts on the network.

The US government alleges the malware has been used in unspecified cyber-espionage operations that it has tied to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The report also cites what it believes are links between the malware and the Russian threat group Fancy Bear. This conclusion, the report states, came after linking operational Drovorub C2’s infrastructure with what it said was GTsSS operational cyber infrastructure.

Security researchers say that the malware’s functions can allow attackers to launch cyber warfare campaigns to disrupt companies, all without geographic proximity to the victim. NSA and FBI use a variety of sources, methods, and partnerships to acquire information about foreign cyber threats. 

FBI:      Threatpost:      NSA:     McAfee

You Might Also Read:

The New Sophistication Of Nation-State Hacking:

 

 

« The Rise of the Business-Aligned Security Executive
Teacher Estimates Replace Algorithm That Reduced Exam Grades »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Synology

Synology

Synology provides high-performance, reliable, and secure Network Attached Storage (NAS) products.

Quorum Cyber

Quorum Cyber

Quorum Cyber offer end-to-end cyber security solutions, specialising in Managed Security Services, Consulting and Resourcing.

Kryptus

Kryptus

Kryptus provides a wide array of solutions for hardware, firmware and software ranging from semiconductors to complex digital certificate management systems.

CryptoCurrency Certification Consortium (C4)

CryptoCurrency Certification Consortium (C4)

The CryptoCurrency Certification Consortium is a non-profit organization that provides certifications to professionals who perform cryptocurrency-related services.

Tetrad Digital Integrity (TDI)

Tetrad Digital Integrity (TDI)

TDI is a world-class consulting firm offering cybersecurity services to government agencies and commercial clients around the world.

Wontok

Wontok

Wontok deliver innovative value-added data security services that fill the gaps left in traditional security solutions.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

Center for Medical Device Cybersecurity (CMDC) - University of Minnesota

Center for Medical Device Cybersecurity (CMDC) - University of Minnesota

CMDC’s mission is to foster university-industry-government partnerships to assure that medical devices are safe and secure from cybersecurity threats.

Security Risk Management (SRM)

Security Risk Management (SRM)

SRM provide a comprehensive security risk management service encompassing people, processes, technology, governance, compliance and risk management.

SHI International

SHI International

SHI International deliver against your IT and business needs, helping you build strategies and solutions that will drive innovation, collaboration and security.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

ConductorOne

ConductorOne

ConductorOne is building the identity security platform for the modern workforce.

LetsData

LetsData

LetsData uses AI to provide governments, intergovernmental organizations, civil society, and businesses with data-empowered decisions on communication in the age of online disinformation.

CyberMass

CyberMass

CyberMass provides Cyber Advisory/Consulting, Professional and Managed Services offering complete cybersecurity as a service protection to businesses.

VPNBlade

VPNBlade

VPNBlade is your go-to resource for expert reviews and advice on VPN services.

IntelliBridge

IntelliBridge

IntelliBridge supports our nation’s most critical missions by solving complex technology, intelligence, and mission support challenges.