NSA And FBI Warn Of Russian Linux Malware

Uploaded on 2020-08-17 in INTELLIGENCE--International, GOVERNMENT-National, GOVERNMENT-Law Enforcement, FREE TO VIEW, INTELLIGENCE-Hot Spots-Russia, TECHNOLOGY--Hackers

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information and execute malicious commands. 

In the report, which is unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that has gone undetected until recently. 

The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

The US government agencies say that Drovorub, targets Linux systems. It says that the malware was developed for a Russian military unit enabling it to cyber-espionage hacks and attacks. The malware comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers.

The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. 

According to the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware represents a threat to national security systems that use Linux. “Drovorub is a Linux malware toolkit consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to the joint report by the FBI and NSA.  “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”

The report does not detail how the initial attack vector for the malware occurs. The report also does not specify how long the malware has been in action, or how many companies may have been targeted, and whether any attacks have been successful. Neither does it specify that the malware initially infects victims either.

It does say the threat actor behind the malware uses a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.”

The name “Drovorub” is derived from a variety of artifacts discovered in Drovorub files, used by the threat actors themselves, and translated, means “woodcutter” or “to split wood.” Drovorub, refers to a malware suite of four separate components that include an agent, client, server and kernel module. When deployed on a victim’s machine, the Drovorub client is first installed, and then provides the capability for direct communications with an actor-controlled command-and-control (C2) infrastructure.

When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection. 

Once a client is in contact with the attacker controlled server, it then uses an agent component to receive commands. Those commands can trigger file download and upload capabilities, execution of arbitrary commands such as “root,” and port forwarding of network traffic to other hosts on the network.

The US government alleges the malware has been used in unspecified cyber-espionage operations that it has tied to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The report also cites what it believes are links between the malware and the Russian threat group Fancy Bear. This conclusion, the report states, came after linking operational Drovorub C2’s infrastructure with what it said was GTsSS operational cyber infrastructure.

Security researchers say that the malware’s functions can allow attackers to launch cyber warfare campaigns to disrupt companies, all without geographic proximity to the victim. NSA and FBI use a variety of sources, methods, and partnerships to acquire information about foreign cyber threats. 

FBI:      Threatpost:      NSA:     McAfee

You Might Also Read:

The New Sophistication Of Nation-State Hacking:

 

 

« The Rise of the Business-Aligned Security Executive
Teacher Estimates Replace Algorithm That Reduced Exam Grades »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Splunk

Splunk

Splunk provide real-time Security Information & Event Management solutions for Enterprise Networks, Cloud and small-scale IT environments

Acuity Risk Management

Acuity Risk Management

Acuity Risk Management helps businesses worldwide effectively manage, prioritize and report on their risks to inform strategic and tactical decision-making and build long-term resilience.

National Intelligence Service (NIS) - South Korea

National Intelligence Service (NIS) - South Korea

The NIS oversees policy on cyber security in South Korea by formulating and coordinating the execution of such policy and devising necessary schemes and guidelines.

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Cyber Defense Agency (CDA)

Cyber Defense Agency (CDA)

Cyber Defense Agency is a premier professional services firm specializing in cyber security, computer network defense, and information security.

Honeywell Process Solutions (HPS)

Honeywell Process Solutions (HPS)

Honeywell's Industrial Cyber Security Solutions help plants and critical infrastructure sectors defend the availability, reliability and safety of their industrial control systems.

Euro-Recycling

Euro-Recycling

Euro-Recycling is a leading UK provider of Secure On-Site Data Media Destruction Services.

aDolus Technology

aDolus Technology

aDolus delivers a robust solution for safeguarding against counterfeit or malicious software and firmware in mission-critical systems.

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum is a catalyst platform designed to create a more resilient and better cyberworld for all.

Elemental Cyber Security

Elemental Cyber Security

Elemental is a game changing cyber security compliance automation and enforcement technology provider.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

KATIM

KATIM

KATIM is a leader in the development of innovative secure communication products and solutions for governments and businesses.

NetCentrics

NetCentrics

NetCentrics leverages an innovative, agile, ‘what’s-next’ approach to our customers’ IT and cyber challenges.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

OryxLabs

OryxLabs

OryxLabs provide advanced enterprise digital risk protection solutions. Learn more about how 24x7 continuous assessment, monitoring, and improvement can secure your network.