Fancy Bear cracks into government computers with LoJax UEFI rootkit

Attacks can lead to the full control of computers, with "nearly total persistence" says ESET

Growling Grizzly bear with Russian hat

The infamous Russian hacking group known as 'Fancy Bear' have been using rootkit malware to hack into and size control of systems belonging to government entities, according to ESET.

The cybersecurity firm has been investigating this new malware, dubbed 'LoJax', and said that it uses a UEFI rootkit to establish a presence on a victims computer.

A UEFI is a Unified Extensible Firmware Interface, which modern computers use to startup and communicate with the operating system. The rootkit found by ESET burrows deep into the UEFI and is nearly impossible to remove.

This rootkit is claimed to be part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind. Sednit is one of many aliases used by the Russian hacking group, Fancy Bear.

"Although, in theory, we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat," said Jean-Ian Boutin, ESET senior security researcher.

According to the research, UEFI rootkits are an extremely dangerous and formidable tool for launching cyber attacks. They can serve as a key to a whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement.

Worryingly, ESET said that even cleaning a system that had been infected with a UEFI rootkit required knowledge well beyond that of a typical user, such as flashing the firmware.

Fancy Bear, which is also known as Sofacy, Sednit, APT28 and STRONTIUM, is one of the most active APT groups in the world and has been operating since at least 2004.

It is alleged that the group were involved in the hack that affected the 2016 US elections, the hacking of global television network TV5Monde and the World Anti-Doping Agency email leak.

ESET said that the discovery of this UEFI rootkit should serve as a wake-up call for users and their organisations who often ignore the risks connected with firmware modifications.

"Now there is no excuse for excluding firmware from regular scanning," added Jean-Ian Boutin. "Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence."

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021