Russian hackers are aiming malware dubbed Drovorub at federal Linux-based defense systems in a wide-scale cyber espionage operation, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) said in a joint advisory.
The malware campaign is reportedly tied to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, also referred to as Fancy Bear, Strontium or APT 28. The aptly-named Drovorub is made up of four modules--an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server--along with techniques to avoid detection. According to the full 39-page security disclosure, the hackers themselves have given the malware its name--Drovo translates to “firewood”, or “wood,” while rub conveys "fell”, or “chop.” Taken together, they translate to “woodcutter” or “split wood."
From the alert: When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; and, port forwarding of network traffic to other hosts on the network. The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices and persists through reboot of an infected machine unless UEFI secure boot is enabled in "full" or "thorough" mode.
Any NSA, Department of Defense and Defense Industrial Base network using Linux are vulnerable to a Drovorub infection, the warning reads. The NSA and the FBI have released a set of detection strategies, mitigation techniques, and configuration recommendations to help network defenders and system administrators reduce the risk of compromise.
"This cybersecurity advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," said Anne Neuberger, NSA cybersecurity director. "By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action,” she said.
The agencies don’t say how long the Drovorub malware has been in circulation nor how the bug was discovered, but do point to an August 5, 2019 Microsoft Security Response Center alert linking IP address 184.108.40.206 to Strontium infrastructure in an Internet of Things devices exploit in April, 2019. The NSA and FBI have confirmed that the same IP address was also used to access the Drovorub C2 IP address 220.127.116.11 that same month.
No other threat actors are believed to be using Drovorub at this point but other cyber adversaries are expected to deploy similar tools and techniques, the alert said.
To prevent Drovorub’s hiding and persistence technique, system administrators should update to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. System owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system, the advisory said.
The advisory carried with it an allied message beyond the malware warning. It signaled the agencies’ intention to share information with the private sector, other government entities and international partners to enable network defenders to “identify and degrade malware activity” and to “counter the capabilities of the GRU,” the agencies said.
“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said Matt Gorham, FBI assistant director. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”
Along the lines of improved communication, in November, 2017, word surfaced that the FBI knew for more than a year that Fancy Bear cyber attackers were behind a scheme to break into the private gmail accounts of scores of U.S. government individuals and organizations but neglected to alert the potential targets.