Russian military targeting Linux systems with Drovorub malware

The NSA and FBI warn the malware is being deployed in real-world espionage attacks by the group known as Fancy Bear

Hacker in front of a Russian flag

Critical US national security systems running Linux are being targeted with malware as part of cyber espionage campaign spearheaded by a division of the Russian military, also known as Fancy Bear or ATP28.

The Drovorub malware is targeting Linux systems operated by US national security agencies, the Department of Defense, and the US government’s industrial assets directly relevant to producing equipment for armed forces.

The malware is being deployed by the division of the GRU, also publicly known as Strontium, as part of the organisation’s cyber espionage operations, according to an advisory published by the FBI and the NSA.

The jointly-published advisory offers detailed technical information on Drovorub, guidance on how to detect the malware on infected systems, and mitigation recommendations. The malware itself compromises an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. 

When deployed on a Linux machine, the Drovorub client paves the way for direct communication with the C2 infrastructure, allowing for file download and upload capabilities, execution of arbitrary commands as "root", and port forwarding of network traffic to other hosts on the network. The malware also implements hiding techniques to evade detection. 

"This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," said NSA cybersecurity director Anne Neuberger. 

"By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action," she said. "Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together."

Related Resource

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

The advisory suggests that organisations running Linux systems to apply any system updates immediately, by continually checking for the latest version of vendor-supplied software. Specifically, system administrators should update to Linux Kernel 3.7 or later in order to take advantage of kernel signing enforcement.

System owners are also being advised to configure their systems to load only modules with a valid digital signature, making it more difficult for a hacker to introduce a malicious kernel module into the system. 

System administrators should also activate UEFI-Secure Boot to ensure only signed kernel modules can be loaded. This would, of course, require a UEFI-compliant platform configured in UEFI native mode in Thorough or Full enforcement mode.

"For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information," said FBI assistant director, Matt Gorham. 

"This joint advisory with our partners at NSA is an outstanding example of just that type of sharing," he added. "We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors."

Research from Blackberry outlined earlier this year previously identified Chinese-sponsored hackers as targeting Linux servers in order to steal intellectual property. Compromising Linux web servers in this way that these hackers had done allowed them to steal massive amounts of data disguised as conventional web traffic.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021