Russian military targeting Linux systems with Drovorub malware

The NSA and FBI warn the malware is being deployed in real-world espionage attacks by the group known as Fancy Bear

Critical US national security systems running Linux are being targeted with malware as part of cyber espionage campaign spearheaded by a division of the Russian military, also known as Fancy Bear or ATP28.

The Drovorub malware is targeting Linux systems operated by US national security agencies, the Department of Defense, and the US government’s industrial assets directly relevant to producing equipment for armed forces.

The malware is being deployed by the division of the GRU, also publicly known as Strontium, as part of the organisation’s cyber espionage operations, according to an advisory published by the FBI and the NSA.

The jointly-published advisory offers detailed technical information on Drovorub, guidance on how to detect the malware on infected systems, and mitigation recommendations. The malware itself compromises an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. 

When deployed on a Linux machine, the Drovorub client paves the way for direct communication with the C2 infrastructure, allowing for file download and upload capabilities, execution of arbitrary commands as "root", and port forwarding of network traffic to other hosts on the network. The malware also implements hiding techniques to evade detection. 

"This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," said NSA cybersecurity director Anne Neuberger. 

"By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action," she said. "Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together."

Related Resource

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

The advisory suggests that organisations running Linux systems to apply any system updates immediately, by continually checking for the latest version of vendor-supplied software. Specifically, system administrators should update to Linux Kernel 3.7 or later in order to take advantage of kernel signing enforcement.

System owners are also being advised to configure their systems to load only modules with a valid digital signature, making it more difficult for a hacker to introduce a malicious kernel module into the system. 

System administrators should also activate UEFI-Secure Boot to ensure only signed kernel modules can be loaded. This would, of course, require a UEFI-compliant platform configured in UEFI native mode in Thorough or Full enforcement mode.

"For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information," said FBI assistant director, Matt Gorham. 

"This joint advisory with our partners at NSA is an outstanding example of just that type of sharing," he added. "We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors."

Research from Blackberry outlined earlier this year previously identified Chinese-sponsored hackers as targeting Linux servers in order to steal intellectual property. Compromising Linux web servers in this way that these hackers had done allowed them to steal massive amounts of data disguised as conventional web traffic.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

22 Sep 2020

Most Popular

Microsoft hints at stand-alone successor to Office 2019 suite
Microsoft Office

Microsoft hints at stand-alone successor to Office 2019 suite

24 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020