Cybersecurity

FBI, NSA reveal undisclosed Russian hacking tool

Russian cyberattacks 

In a joint alert, the National Security Agency and FBI warned that Fancy Bear, a group of hackers from Russia's General Staff Main Intelligence Directorate (GRU), are using a previously undisclosed piece of malware targeting Linux operating systems to conduct cyber espionage.

The malware, dubbed Drovorub, consists of an implant, kernel rootkit, a file transfer and port forwarding tool and a Command and Control server. It gives the group root access to an infected system, allows them to download and upload data and port of network traffic.

According to the advisory, Drovorub is "proprietary malware" developed by Fancy Bear (or APT 28), which law enforcement organizations have previously identified as one of the units behind the hack of the Democratic National Committee prior to the 2016 U.S. presidential election. Last year, Microsoft linked an IP address to Fancy Bear infrastructure as part of a campaign to infect Internet of Things devices. NSA and FBI said that same IP address was used in April 2019 to access a Command and Control server related to Drovorub.

Network intrusion detection systems are able to identify communications between an infected system and Command and Control servers, but the rootkit module has been crafted to hide itself from many commonly-used detection tools. The agencies are advising system administrators, including those operating National Security Systems, to update to Linux Kernel 3.7 or higher and configure their systems to only accept modules with valid digital signatures. Such mitigations will not completely protect organizations from exploitation, but could make it more difficult for actors to infect a system.

The 45-page document, containing technical information about the malware, information around attribution and mitigation guidance, is remarkably detailed and represents one of the most significant formal disclosures of nation-state hacking tools to date by the U.S. government.

By publicizing such tools, U.S. officials and information security experts say it dramatically reduces their effectiveness and forces a threat actor to go back to the drawing board and develop replacements.

"Tools like this are hidden from operating systems & are expensive to engineer/maintain, with actors often using [them] for the most valuable targets," U.S. Cyber Command wrote on its official Twitter account. "Mitigating against it will cost Russian military intelligence time, money, & access."

The alert does not specify who the unit has been targeting with the malware, but says the disclosure is part of an effort to "assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior."

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected