Fancy Bear cracks into government computers with LoJax UEFI rootkit
Attacks can lead to the full control of computers, with "nearly total persistence" says ESET
The infamous Russian hacking group known as 'Fancy Bear' have been using rootkit malware to hack into and size control of systems belonging to government entities, according to ESET.
The cybersecurity firm has been investigating this new malware, dubbed 'LoJax', and said that it uses a UEFI rootkit to establish a presence on a victims computer.
A UEFI is a Unified Extensible Firmware Interface, which modern computers use to startup and communicate with the operating system. The rootkit found by ESET burrows deep into the UEFI and is nearly impossible to remove.
This rootkit is claimed to be part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind. Sednit is one of many aliases used by the Russian hacking group, Fancy Bear.
"Although, in theory, we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat," said Jean-Ian Boutin, ESET senior security researcher.
According to the research, UEFI rootkits are an extremely dangerous and formidable tool for launching cyber attacks. They can serve as a key to a whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement.
Worryingly, ESET said that even cleaning a system that had been infected with a UEFI rootkit required knowledge well beyond that of a typical user, such as flashing the firmware.
Fancy Bear, which is also known as Sofacy, Sednit, APT28 and STRONTIUM, is one of the most active APT groups in the world and has been operating since at least 2004.
ESET said that the discovery of this UEFI rootkit should serve as a wake-up call for users and their organisations who often ignore the risks connected with firmware modifications.
"Now there is no excuse for excluding firmware from regular scanning," added Jean-Ian Boutin. "Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence."
2021 Thales access management index: Global edition
The challenges of trusted access in a cloud-first worldFree download
Transforming higher education for the digital era
The future is yoursFree download
Building a cloud-native, hybrid-multi cloud infrastructure
Get ready for hybrid-multi cloud databases, AI, and machine learning workloadsFree download
The next biggest shopping destination is the cloud
Know why retail businesses must move to the cloudFree Download