IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Fancy Bear cracks into government computers with LoJax UEFI rootkit

Attacks can lead to the full control of computers, with "nearly total persistence" says ESET

Growling Grizzly bear with Russian hat

The infamous Russian hacking group known as 'Fancy Bear' have been using rootkit malware to hack into and size control of systems belonging to government entities, according to ESET.

The cybersecurity firm has been investigating this new malware, dubbed 'LoJax', and said that it uses a UEFI rootkit to establish a presence on a victims computer.

A UEFI is a Unified Extensible Firmware Interface, which modern computers use to startup and communicate with the operating system. The rootkit found by ESET burrows deep into the UEFI and is nearly impossible to remove.

This rootkit is claimed to be part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind. Sednit is one of many aliases used by the Russian hacking group, Fancy Bear.

"Although, in theory, we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat," said Jean-Ian Boutin, ESET senior security researcher.

According to the research, UEFI rootkits are an extremely dangerous and formidable tool for launching cyber attacks. They can serve as a key to a whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement.

Worryingly, ESET said that even cleaning a system that had been infected with a UEFI rootkit required knowledge well beyond that of a typical user, such as flashing the firmware.

Fancy Bear, which is also known as Sofacy, Sednit, APT28 and STRONTIUM, is one of the most active APT groups in the world and has been operating since at least 2004.

It is alleged that the group were involved in the hack that affected the 2016 US elections, the hacking of global television network TV5Monde and the World Anti-Doping Agency email leak.

ESET said that the discovery of this UEFI rootkit should serve as a wake-up call for users and their organisations who often ignore the risks connected with firmware modifications.

"Now there is no excuse for excluding firmware from regular scanning," added Jean-Ian Boutin. "Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence."

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022