In a rare occurrence, the US National Security Agency (NSA) and FBI issued a warning for a new Linux malware dubbed “Drovorub”.
It was reportedly developed by Russian military hackers.
“This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” NSA Cybersecurity Director Anne Neuberger said. “By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”
According to a report based on data collected by the agencies, the Linux malware strain is the work of APT28, a notorious hacking group from military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
The intention is to steal secrets from the public sector, as well as private IT companies.
Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server.
When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.
The stealthy capabilities of Drovorub Linux malware make it easy for hackers to target different types of platforms, initiating attacks at any time.
According to the report, the two components of the Linux malware operate by communicating with each other using JSON over WebSockets and the traffic is encrypted from the server module using the RSA algorithm.
“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said FBI Assistant Director Matt Gorham. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”
There is also a handy fact sheet. [pdf]
“How did you find out about this malware?
We use a variety of means and methods to acquire information about cyber threats, including our own cybersecurity operations, foreign signals intelligence, U.S. Government partners, engagement with industry, and foreign partners around the world. We don’t comment on the source of any particular information so we can continue to fulfil our vital role for the nation. Protecting our sources also allows us to more broadly release the underlying threat information in ways we might not be able to otherwise do.”
As such it is generally unclear how the malware was discovered and how it was concluded that “the Russians” made it.
There is also a guide on how to prevent the malware from operating:
“Will the mitigations outlined in the guidance protect my system from exposure?
Implementing SecureBoot in “full” or “thorough” mode should reliably prevent malicious kernel modules, such as the Drovorub kernel module, from loading. This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection. They should be used as quickly as possible before changes are made.”
The advanced persistent threat (APT) group identified as APT28 is also commonly known as Fancy Bear.
To be more precise, the hacking collective labeled as APT28 is said to be associated with military unit 26165, the GRU’s 85th Main Special Service Center (GTsSS.) The FBI and NSA report reveals that Drovorub infrastructure has ties to the GTsSS infrastructure, and attributes the proprietary malware as being developed for use by them.
On August 5th, Microsoft also published a blog post blaming the group for another offensive operation.
The Microsoft Security Response Center claimed that APT28 is responsible for a campaign attacking popular Internet of Things (IoT) devices. In an election year, it’s worth remembering that APT28 was also “implicated” in the 2016 Democratic National Committee hack.
These are most definitely not your “normal” hackers. They are special, Russian “super hackers.”
“I’m not surprised that everyone’s favorite fancy bear (APT28) is on the prowl in Linux land,” says Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax. “Tactically, it makes sense to hack workstations, pivot to Linux servers and hide in that infrastructure to stay persistent.”
“APT groups, especially Russian and Chinese ones, are going to be driven by specific mission requirements and if the target’s information or capabilities are found in a Linux environment that won’t stop the mission objectives,” Thornton-Trump said.
No one should be surprised to find Fancy Bears inside Linux systems, he claimed, adding “they need protection just as much as Windows systems, maybe even more depending on what juicy information or capabilities are present in the target’s open-source environment.”