The GRU malware targets Linux operating systems and is used to conduct cyber espionage on behalf.
In a joint alert, the National Security Agency and FBI warned that Fancy Bear, a group of hackers from Russia's General Staff Main Intelligence Directorate (GRU), are using a previously undisclosed piece of malware targeting Linux operating systems to conduct cyber espionage.
The malware, dubbed Drovorub, consists of an implant, kernel rootkit, a file transfer and port forwarding tool and a Command and Control server. It gives the group root access to an infected system, allows them to download and upload data and port of network traffic.
According to the advisory, Drovorub is "proprietary malware" developed by Fancy Bear (or APT 28), which law enforcement organizations have previously identified as one of the units behind the hack of the Democratic National Committee prior to the 2016 U.S. presidential election. Last year, Microsoft linked an IP address to Fancy Bear infrastructure as part of a campaign to infect Internet of Things devices. NSA and FBI said that same IP address was used in April 2019 to access a Command and Control server related to Drovorub.
Network intrusion detection systems are able to identify communications between an infected system and Command and Control servers, but the rootkit module has been crafted to hide itself from many commonly-used detection tools. The agencies are advising system administrators, including those operating National Security Systems, to update to Linux Kernel 3.7 or higher and configure their systems to only accept modules with valid digital signatures. Such mitigations will not completely protect organizations from exploitation, but could make it more difficult for actors to infect a system.
The 45-page document, containing technical information about the malware, information around attribution and mitigation guidance, is remarkably detailed and represents one of the most significant formal disclosures of nation-state hacking tools to date by the U.S. government.
By publicizing such tools, U.S. officials and information security experts say it dramatically reduces their effectiveness and forces a threat actor to go back to the drawing board and develop replacements.
"Tools like this are hidden from operating systems & are expensive to engineer/maintain, with actors often using [them] for the most valuable targets," U.S. Cyber Command wrote on its official Twitter account. "Mitigating against it will cost Russian military intelligence time, money, & access."
The alert does not specify who the unit has been targeting with the malware, but says the disclosure is part of an effort to "assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior."