NSA And FBI Warn Of Russian Linux Malware

Uploaded on 2020-08-17 in INTELLIGENCE--International, GOVERNMENT-National, GOVERNMENT-Law Enforcement, FREE TO VIEW, INTELLIGENCE-Hot Spots-Russia, TECHNOLOGY--Hackers

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information and execute malicious commands. 

In the report, which is unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that has gone undetected until recently. 

The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

The US government agencies say that Drovorub, targets Linux systems. It says that the malware was developed for a Russian military unit enabling it to cyber-espionage hacks and attacks. The malware comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers.

The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. 

According to the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware represents a threat to national security systems that use Linux. “Drovorub is a Linux malware toolkit consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to the joint report by the FBI and NSA.  “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”

The report does not detail how the initial attack vector for the malware occurs. The report also does not specify how long the malware has been in action, or how many companies may have been targeted, and whether any attacks have been successful. Neither does it specify that the malware initially infects victims either.

It does say the threat actor behind the malware uses a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.”

The name “Drovorub” is derived from a variety of artifacts discovered in Drovorub files, used by the threat actors themselves, and translated, means “woodcutter” or “to split wood.” Drovorub, refers to a malware suite of four separate components that include an agent, client, server and kernel module. When deployed on a victim’s machine, the Drovorub client is first installed, and then provides the capability for direct communications with an actor-controlled command-and-control (C2) infrastructure.

When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection. 

Once a client is in contact with the attacker controlled server, it then uses an agent component to receive commands. Those commands can trigger file download and upload capabilities, execution of arbitrary commands such as “root,” and port forwarding of network traffic to other hosts on the network.

The US government alleges the malware has been used in unspecified cyber-espionage operations that it has tied to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The report also cites what it believes are links between the malware and the Russian threat group Fancy Bear. This conclusion, the report states, came after linking operational Drovorub C2’s infrastructure with what it said was GTsSS operational cyber infrastructure.

Security researchers say that the malware’s functions can allow attackers to launch cyber warfare campaigns to disrupt companies, all without geographic proximity to the victim. NSA and FBI use a variety of sources, methods, and partnerships to acquire information about foreign cyber threats. 

FBI:      Threatpost:      NSA:     McAfee

You Might Also Read:

The New Sophistication Of Nation-State Hacking:

 

 

« The Rise of the Business-Aligned Security Executive
Teacher Estimates Replace Algorithm That Reduced Exam Grades »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

CyberSmart

CyberSmart

CyberSmart is a platform that allows you to maintain compliance, achieve certification and secure your organisation.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

UM Labs

UM Labs

UM Labs is a developer of security products for Voice over IP (VoIP), protecting SIP trunk connections, safeguarding mobile phone communications and enabling BYOD.

H3C Group

H3C Group

H3C provides a full range of Computer, Storage, Networking and Security solutions.

Asoftnet

Asoftnet

Asoftnet are specialists in IT security, IT forensics, IT service, websites, applications and mobile solutions.

Gallarus Industry Solutions

Gallarus Industry Solutions

Gallarus leads innovation within industrial Manufacturing, Production and Management Systems, including Cyber Security solutions specifically developed to protect against the latest cyber criminality.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Secured Communications

Secured Communications

Secured Communications has developed the only unified secure communications platform trusted by public safety and counter terrorism professionals around the world.

Cyber Security Cooperative Research Centre (CSCRC)

Cyber Security Cooperative Research Centre (CSCRC)

The CSCRC provides frank and fearless research and in-depth analysis of cyber security systems, the cyber ecosystem and cyber threats.

Cyber Command - Romania

Cyber Command - Romania

Cyber Command represents the military authority responsible for the development, protection and resilience of military IT networks and services that support the Romanian Force Structure.

Darkscope

Darkscope

Darkscope is an award-winning personalised cyber intelligence service provider. Our cutting-edge AI and Deep Artificial Neural Networks lead the world of cyber intelligence solutions.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

Tanzania Industrial Research and Development Organization (TIRDO)

Tanzania Industrial Research and Development Organization (TIRDO)

TIRDO is a multi-disciplinary research and development organization.

Identifly

Identifly

Identifly is the leading Australian independent identity consultancy and partner in Australia, helping enterprises implement large scale identity security projects fast.