The U.S. National Security Agency and Federal Bureau of Investigation today issued a joint cybersecurity advisory warning on a previously undisclosed form of Russian malware.

Dubbed “Drovorub,” the Linux malware is believed to have originated with the Russian General Staff Main Intelligence Directorate 85th Main Special Service Center military unit 26165, commonly known in the security community as Fancy Bear or APT 28.

The same group was tied to the hacking of the Democratic National Committee in 2016 and has since been tied to various hacking campaigns, including the targeting of military contractors in 2018 and an attack on conservative Facebook accounts the same year. A report in August 2017 noted that Fancy Bear was using hacking exploits stolen from the NSA.

Drovorub is described as coming with a range of espionage capabilities. The malware consists of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool and a command-and-control server. Once deployed, Drovorub provides the capability for direct communications with Fancy Bear infrastructure, file download and upload capabilities, execution of arbitrary commands and port forwarding of network traffic to other hosts on the network. The malware is also said to implement hiding techniques to evade detection.

While providing a 45-page in-depth report into Drovorub, neither the FBI nor NSA detailed the actor vector – that is how does Fancy Bear install the malware to begin with. Whether successful attacks had occurred was also not mentioned in the report.

“This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” NSA Cybersecurity Director Anne Neuberger said in a statement. “By deconstructing this capability and providing attribution, analysis and mitigations, we hope to empower our customers, partners and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”

Steve Grobman, chief technology officer at cybersecurity company McAfee LLC, told SiliconANGLE that the technical details are quite valuable to cybersecurity defenders.

“In addition to Drovorub’s multiple capabilities, it is designed for stealth by utilizing advanced ‘rootkit’ technologies that make detection difficult,” Grobman explained. “The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time. Attackers can launch cyberwarfare campaigns to inflict significant damage or disruption and do so without geographic proximity to their target.”

Grobman added that although the objectives of Drovorub were not detailed in the report, they could range from industrial espionage to election interference.

Torsten George, cybersecurity evangelist at zero trust and privileged-access company Centrify Corp., noted there are fundamental measures that can help organizations minimize their exposure to these attacks: “Implement cybersecurity training, regularly update antivirus and anti-malware with the latest signatures, perform regular scans and back up data regularly to a unconnected environment — and verify the integrity of those backups regularly.”

Photo: Pixabay