Fancy Bear cracks into government computers with LoJax UEFI rootkit

Attacks can lead to the full control of computers, with "nearly total persistence" says ESET

Growling Grizzly bear with Russian hat

The infamous Russian hacking group known as 'Fancy Bear' have been using rootkit malware to hack into and size control of systems belonging to government entities, according to ESET.

The cybersecurity firm has been investigating this new malware, dubbed 'LoJax', and said that it uses a UEFI rootkit to establish a presence on a victims computer.

A UEFI is a Unified Extensible Firmware Interface, which modern computers use to startup and communicate with the operating system. The rootkit found by ESET burrows deep into the UEFI and is nearly impossible to remove.

This rootkit is claimed to be part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind. Sednit is one of many aliases used by the Russian hacking group, Fancy Bear.

Advertisement - Article continues below
Advertisement - Article continues below

"Although, in theory, we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat," said Jean-Ian Boutin, ESET senior security researcher.

According to the research, UEFI rootkits are an extremely dangerous and formidable tool for launching cyber attacks. They can serve as a key to a whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement.

Worryingly, ESET said that even cleaning a system that had been infected with a UEFI rootkit required knowledge well beyond that of a typical user, such as flashing the firmware.

Fancy Bear, which is also known as Sofacy, Sednit, APT28 and STRONTIUM, is one of the most active APT groups in the world and has been operating since at least 2004.

It is alleged that the group were involved in the hack that affected the 2016 US elections, the hacking of global television network TV5Monde and the World Anti-Doping Agency email leak.

ESET said that the discovery of this UEFI rootkit should serve as a wake-up call for users and their organisations who often ignore the risks connected with firmware modifications.

Advertisement - Article continues below

"Now there is no excuse for excluding firmware from regular scanning," added Jean-Ian Boutin. "Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020