Russian military targeting Linux systems with Drovorub malware

The NSA and FBI warn the malware is being deployed in real-world espionage attacks by the group known as Fancy Bear

Hacker in front of a Russian flag

Critical US national security systems running Linux are being targeted with malware as part of cyber espionage campaign spearheaded by a division of the Russian military, also known as Fancy Bear or ATP28.

The Drovorub malware is targeting Linux systems operated by US national security agencies, the Department of Defense, and the US government’s industrial assets directly relevant to producing equipment for armed forces.

The malware is being deployed by the division of the GRU, also publicly known as Strontium, as part of the organisation’s cyber espionage operations, according to an advisory published by the FBI and the NSA.

The jointly-published advisory offers detailed technical information on Drovorub, guidance on how to detect the malware on infected systems, and mitigation recommendations. The malware itself compromises an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. 

When deployed on a Linux machine, the Drovorub client paves the way for direct communication with the C2 infrastructure, allowing for file download and upload capabilities, execution of arbitrary commands as "root", and port forwarding of network traffic to other hosts on the network. The malware also implements hiding techniques to evade detection. 

"This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," said NSA cybersecurity director Anne Neuberger. 

"By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action," she said. "Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together."

Related Resource

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

The advisory suggests that organisations running Linux systems to apply any system updates immediately, by continually checking for the latest version of vendor-supplied software. Specifically, system administrators should update to Linux Kernel 3.7 or later in order to take advantage of kernel signing enforcement.

System owners are also being advised to configure their systems to load only modules with a valid digital signature, making it more difficult for a hacker to introduce a malicious kernel module into the system. 

System administrators should also activate UEFI-Secure Boot to ensure only signed kernel modules can be loaded. This would, of course, require a UEFI-compliant platform configured in UEFI native mode in Thorough or Full enforcement mode.

"For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information," said FBI assistant director, Matt Gorham. 

"This joint advisory with our partners at NSA is an outstanding example of just that type of sharing," he added. "We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors."

Research from Blackberry outlined earlier this year previously identified Chinese-sponsored hackers as targeting Linux servers in order to steal intellectual property. Compromising Linux web servers in this way that these hackers had done allowed them to steal massive amounts of data disguised as conventional web traffic.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021