Russian military targeting Linux systems with Drovorub malware

The NSA and FBI warn the malware is being deployed in real-world espionage attacks by the group known as Fancy Bear

Hacker in front of a Russian flag

Critical US national security systems running Linux are being targeted with malware as part of cyber espionage campaign spearheaded by a division of the Russian military, also known as Fancy Bear or ATP28.

The Drovorub malware is targeting Linux systems operated by US national security agencies, the Department of Defense, and the US government’s industrial assets directly relevant to producing equipment for armed forces.

The malware is being deployed by the division of the GRU, also publicly known as Strontium, as part of the organisation’s cyber espionage operations, according to an advisory published by the FBI and the NSA.

The jointly-published advisory offers detailed technical information on Drovorub, guidance on how to detect the malware on infected systems, and mitigation recommendations. The malware itself compromises an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. 

When deployed on a Linux machine, the Drovorub client paves the way for direct communication with the C2 infrastructure, allowing for file download and upload capabilities, execution of arbitrary commands as "root", and port forwarding of network traffic to other hosts on the network. The malware also implements hiding techniques to evade detection. 

"This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," said NSA cybersecurity director Anne Neuberger. 

"By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action," she said. "Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together."

Related Resource

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

The advisory suggests that organisations running Linux systems to apply any system updates immediately, by continually checking for the latest version of vendor-supplied software. Specifically, system administrators should update to Linux Kernel 3.7 or later in order to take advantage of kernel signing enforcement.

System owners are also being advised to configure their systems to load only modules with a valid digital signature, making it more difficult for a hacker to introduce a malicious kernel module into the system. 

System administrators should also activate UEFI-Secure Boot to ensure only signed kernel modules can be loaded. This would, of course, require a UEFI-compliant platform configured in UEFI native mode in Thorough or Full enforcement mode.

"For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information," said FBI assistant director, Matt Gorham. 

"This joint advisory with our partners at NSA is an outstanding example of just that type of sharing," he added. "We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors."

Research from Blackberry outlined earlier this year previously identified Chinese-sponsored hackers as targeting Linux servers in order to steal intellectual property. Compromising Linux web servers in this way that these hackers had done allowed them to steal massive amounts of data disguised as conventional web traffic.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021