The NSA and FBI released a new cybersecurity advisory on August 13 about previously undisclosed Russian malware. According to the NSA’s press release, the malware (dubbed “Drovorub”) had been deployed as part of the Russian General Staff Main Intelligence Directorate (GRU) Main Special Service Center (GTsSS).
According to the NSA press release, “Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.”.
Russian Hackers in the Past
This is, of course, not the first time that Russian-associated hackers have attempted cyber-espionage operations on United States actors. The Russian unit deploying the malware—known as APT28, Fancy Bear, Strontium, and other names—has been accused in recent years by multiple governments and companies for carrying out cyberattacks. Notably, the group is associated with the hackers who broke into the Democratic National Committee in 2016.
Because of the group’s proximity to the hack leading up to the last presidential election, the news release is a necessary warning from the government. According to NSA Cybersecurity Director Anne Neuberger, the advisory is an “extensive, technical analysis on specific threats.”
The Impact and Origin of Drovorub Malware
The Linux operating system that the Drovorub malware is designed to break into is commonly run on web-based computer servers. The malware itself is particularly invasive; Drovorub enables file download and upload capabilities, execution of arbitrary commands, and even techniques to evade detection.
Drovorub could represent a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems. The 45-page advisory guides systems administrators and network security specialists for defense against the malware. The FBI echoed the NSA’s statement, emphasizing the importance of sharing this information with the public.
Information about Drovorub was acquired via FBI and NSA’s cybersecurity operations, foreign signals intelligence, U.S. Government partners, engagement with industry, and foreign partners around the world. The NSA and FBI are sharing this information with the public in order to combat the effectiveness of the GRU GTsSS, as this organization continues to threaten the U.S. and its allies. The GTsSS cyber program puts a wide variety of proprietary and publicly known techniques to use in order to target networks. Given the fact that the GTsSS cyber program is a very capable organization, conducting its operations in accordance with GRU mission, it’s imperative to stay watchful and make all necessary updates.
What to do with a Susceptible System
“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said FBI Assistant Director Matt Gorham.
The advisory goes on to say that to prevent a system from being susceptible to the Drovorub malware, system administrators should update to Linux Kernel 3.7 or later. The recent version takes full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature, making it more difficult for an actor to introduce a malicious kernel module into the system.