Sikov - stock.adobe.com

Russia’s Fancy Bear targets Linux environments with Drovorub malware

The Russian intelligence-linked Fancy Bear group is deploying a new malware called Drovorub against Linux environments as part of a cyber espionage operation, according to US warnings

The US’s National Security Agency (NSA) and Federal Bureau of Investigation (FBI) have issued a joint cyber security advisory warning of a new strain of malware – dubbed Drovorub – that is being deployed against Linux environments by groups linked to the Russian government’s intelligence services.

Unit 26165 of the Russian General Staff Main Intelligence Directorate’s (GRU) 85th Main Special Service Centre, which also goes by the name of Fancy Bear, Strontium and APT28, is using Drovorub – which consists of a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server – to establish direct communications between target environments and its C2 infrastructure, download and upload files, execute arbitrary commands, and port forward network traffic to other hosts on the network.

“This cyber security advisory represents an important dimension of our cyber security mission, the release of extensive, technical analysis on specific threats,” said NSA cyber security director Anne Neuberger.

“By deconstructing this capability and providing attribution, analysis and mitigations, we hope to empower our customers, partners and allies to take action. Our deep partnership with the FBI is reflected in our releasing this comprehensive guidance together.”

FBI assistant director Matt Gorham said: “For the FBI, one of our priorities in cyber space is not only to impose risk and consequences on cyber adversaries, but also to empower our private sector, governmental and international partners through the timely, proactive sharing of information.

“This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”

The two agencies said Drovorub currently represents a threat to any national security and defence systems, or contractors working within the military-industrial complex, that currently use Linux systems.

Steve Grobman, CTO at McAfee, described Drovorub – which translates most directly as “woodcutter” – as containing a Swiss-army knife of capabilities allowing an attacker to perform various actions within their target’s systems.

Read more about Linux security

“In addition to Drovorub’s multiple capabilities, it is designed for stealth by utilising advanced rootkit technologies that make detection difficult,” said Grobman. “The element of stealth allows the operatives to implant the malware in many different types of target, enabling an attack at any time. Attackers can launch cyber warfare campaigns to inflict significant damage or disruption and do so without geographic proximity to their target.

“The US is a target-rich environment for potential cyber attacks. The objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference.”

The agencies said that although there are a number of detection techniques that can be effectively used to identify Drovorub (detailed in full in its advisory, along with Snort and Yara rules), its kernel module poses a challenge to large-scale detection because it hides its artefacts from widely used tools for at-scale live response.

To stop systems from being compromised by Drovorub’s obfuscation and persistence, administrators are urged to update to Linux Kernel 3.7 or later to take advantage of kernel signing enforcement, and configure systems to load only modules with valid digital signatures.

Read more on Hackers and cybercrime prevention