Fancy Bear cracks into government computers with LoJax UEFI rootkit

Fancy Bear

The infamous Russian hacking group known as 'Fancy Bear' have been using rootkit malware to hack into and size control of systems belonging to government entities, according to ESET.

The cybersecurity firm has been investigating this new malware, dubbed 'LoJax', and said that it uses a UEFI rootkit to establish a presence on a victims computer.

A UEFI is a Unified Extensible Firmware Interface, which modern computers use to startup and communicate with the operating system. The rootkit found by ESET burrows deep into the UEFI and is nearly impossible to remove.

This rootkit is claimed to be part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind. Sednit is one of many aliases used by the Russian hacking group, Fancy Bear.

"Although, in theory, we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat," said Jean-Ian Boutin, ESET senior security researcher.

According to the research, UEFI rootkits are an extremely dangerous and formidable tool for launching cyber attacks. They can serve as a key to a whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement.

Worryingly, ESET said that even cleaning a system that had been infected with a UEFI rootkit required knowledge well beyond that of a typical user, such as flashing the firmware.

Fancy Bear, which is also known as Sofacy, Sednit, APT28 and STRONTIUM, is one of the most active APT groups in the world and has been operating since at least 2004.

It is alleged that the group were involved in the hack that affected the 2016 US elections, the hacking of global television network TV5Monde and the World Anti-Doping Agency email leak.

ESET said that the discovery of this UEFI rootkit should serve as a wake-up call for users and their organisations who often ignore the risks connected with firmware modifications.

"Now there is no excuse for excluding firmware from regular scanning," added Jean-Ian Boutin. "Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence."

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.