0 $
2,500 $
5,000 $
1,800 $
7 DAYS LEFT UNTIL THE END OF DECEMBER

NSA And FBI Warn Of Russian Hackers Targeting Linux Systems

Support SouthFront

NSA And FBI Warn Of Russian Hackers Targeting Linux Systems

Click to see full-size image

In a rare occurrence, the US National Security Agency (NSA) and FBI issued a warning for a new Linux malware dubbed “Drovorub”.

It was reportedly developed by Russian military hackers.

“This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” NSA Cybersecurity Director Anne Neuberger said. “By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”

According to a report based on data collected by the agencies, the Linux malware strain is the work of APT28, a notorious hacking group from military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).

The intention is to steal secrets from the public sector, as well as private IT companies.

Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server.

When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.

NSA And FBI Warn Of Russian Hackers Targeting Linux Systems

Click to see full-size image

The stealthy capabilities of Drovorub Linux malware make it easy for hackers to target different types of platforms, initiating attacks at any time.

According to the report, the two components of the Linux malware operate by communicating with each other using JSON over WebSockets and the traffic is encrypted from the server module using the RSA algorithm.

“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said FBI Assistant Director Matt Gorham. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”

There is also a handy fact sheet. [pdf]

How did you find out about this malware?

We use a variety of means and methods to acquire information about cyber threats, including our own cybersecurity operations, foreign signals intelligence, U.S. Government partners, engagement with industry, and foreign partners around the world. We don’t comment on the source of any particular information so we can continue to fulfil our vital role for the nation. Protecting our sources also allows us to more broadly release the underlying threat information in ways we might not be able to otherwise do.”

As such it is generally unclear how the malware was discovered and how it was concluded that “the Russians” made it.

There is also a guide on how to prevent the malware from operating:

Will the mitigations outlined in the guidance protect my system from exposure?

Implementing SecureBoot in “full” or “thorough” mode should reliably prevent malicious kernel modules, such as the Drovorub kernel module, from loading. This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection. They should be used as quickly as possible before changes are made.”

The advanced persistent threat (APT) group identified as APT28 is also commonly known as Fancy Bear.

To be more precise, the hacking collective labeled as APT28 is said to be associated with military unit 26165, the GRU’s 85th Main Special Service Center (GTsSS.) The FBI and NSA report reveals that Drovorub infrastructure has ties to the GTsSS infrastructure, and attributes the proprietary malware as being developed for use by them.

On August 5th, Microsoft also published a blog post blaming the group for another offensive operation.

The Microsoft Security Response Center claimed that APT28 is responsible for a campaign attacking popular Internet of Things (IoT) devices. In an election year, it’s worth remembering that APT28 was also “implicated” in the 2016 Democratic National Committee hack.

These are most definitely not your “normal” hackers. They are special, Russian “super hackers.”

“I’m not surprised that everyone’s favorite fancy bear (APT28) is on the prowl in Linux land,” says Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax. “Tactically, it makes sense to hack workstations, pivot to Linux servers and hide in that infrastructure to stay persistent.”

“APT groups, especially Russian and Chinese ones, are going to be driven by specific mission requirements and if the target’s information or capabilities are found in a Linux environment that won’t stop the mission objectives,” Thornton-Trump said.

No one should be surprised to find Fancy Bears inside Linux systems, he claimed, adding “they need protection just as much as Windows systems, maybe even more depending on what juicy information or capabilities are present in the target’s open-source environment.”

Support SouthFront

SouthFront

Subscribe
Notify of
guest
39 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Lone Ranger

BS. Linux is getting more popular by the day and now even noobs can use it, with distributions like Rasperry OS or Linux Mint . And it doesnt have built in NSA/CIA backdoors. Thats why they are worried.

Kim Jong-un

I play time to time with Ubuntu what about you Lone?

Lone Ranger

Linux Mint is the OS if you want an easy all around OS.

Harry Smith

ROFL! The old IT rule: if you want to make war between Linux guys – ask them what version of Linux is better! https://media1.giphy.com/media/AbKlwKEiP4ZpK/giphy.gif

Traiano Welcome

Exactly. Watch this:

Hey guys, Mint and Ubuntu are for faggots and snowflakes. Real men use DEBIAN!

(Actually, real men use Slackware, but that’s another story …)

Harry Smith

No way! Red Hat is the king! ROFL!

Traiano Welcome

Dead Rat! Hahah! Not since SystemD!

Daily Beatings

Everyone is using Systemd, I’ve gotten use to it. It does have some strengths over init.

Traiano Welcome

Heretic! Users of it and it’s bastard child journalctl should be burned at the stake!

J Roderet

I’ve been using Linux and LibreOffice for years now too. It saves a ton of money each time I build or upgrade a machine. And no automatic updates either…

Daily Beatings

This is how you upgrade a computer with Linux:

1) Take hard drive out of the old machine 2) Place hard drive into the new machine 3) Boot computer

Антон С

Russia has 146 million hackers an internet trolls. Me too.)

Traiano Welcome

Hold on, isn’t that the same number as your population?

Антон С

It is. But I should correct this number. Not all people have internet, but 99% will have it in near future. Actual number is about 80%. Imagine, all these people are Kremlin trolls, except few liberals. Sad truth for Washington, which is counting every sarcastic message from Russia or with cyrillic nick-name as danger to democrazy.

Harry Smith

Or yeah! Chinese hackers broke in the Pentagon server. Every Chinese typed “Mao Tse Tung” as password and at 745 329 782nd try the server agreed that password is “Mao Tse Tung”.

Traiano Welcome

That’s called “Re-education”

Harry Smith

Cultural revolution to be more precise. ROFL.

Антон С

Security Service in Kiev had used 123456 password. Their admin told them to change it, they answered him to go off. Changed after 6 months.

Traiano Welcome

The thought of Sergei Shoygu at a linux terminal is truly intimidating!

Антон С

“The thought of Sergei Shoygu at a linux terminal is truly intimidating!” https://mir-s3-cdn-cf.behance.net/project_modules/disp/1ceeee16791861.593e5a801715b.jpg

Tommy Jensen

Exactly what I warned about. You try to be in privacy with your democratic considerations and what happen? An invisible Trumphet tone arrive in your ears going into your brain, and you think of Trumphets all the way to the election and the voting box. You imagine a Trumphet in your brain, and you vote Trump because its related and this have already been figured out in KGB’s psychological laboratories.

When we say Putin has been interfering in America’s democracy and elections its the truth and you know it! Which you can clearly see on this example of facts and reason with logo.

qveenz

How funny…

johnny rotten

Perfect mafia-style intimidation, either you pay our protection or big trouble could happen to your devices.

JIMI JAMES

More like their own paid shills if anything,nsa and fbi both democrat tools,see no hellary not biden arrests still,the can’t be trusted nor taken seriously ever again (period) No arrests = no credabilitys!

#'~A*QXm(>NRmm]w?dU4vXZ

BS. The NSA and FBI are the real culprits, but preparing the plebs for a regular brainwash.

Harry Smith

Does anyone understands that “drovorub” is Ukrainian word? In Russian it will be “drovosek”. ROFL! Want to fail a mission – ask Ukrainians to help you!

Traiano Welcome

I hope the Russian rootkits are more reliable than the US ones. The documentation with the Chinese rootkits are rubbish, I’d never use those.

Harry Smith

Looks like it’s Ukrainian rootkit. Won’t work without pork fat and vodka!

Traiano Welcome

Damn. I’ll have to wait for Drovorub Russian Edition then.

Антон С

Gorilka (local moonshine), lard and garlic.

cechas vodobenikov

salo z silotka

Traiano Welcome

On the other hand Linux has been rooted since Lennard Poettering was allowed to trojan it with systemd …

Harry Smith

Come on! Linux is open source and everyone checks the code before the compilation! https://media0.giphy.com/media/3ohs7KViF6rA4aan5u/giphy.gif

Traiano Welcome

Of course. I personally print it all out on a dot matrix and go through it with a red pen …

Harry Smith

Eff! You are bettering than me! I am using a pencil!

Ivan Freely

Another problem can be with the compiler. You need to make sure it’s a legit version.

Traiano Welcome

Package repos are probably full of drovorub too …

Ivan Freely

As such it is generally unclear how the malware was discovered and how it was concluded that “the Russians” made it.

As expected.

Freemon Sandlewould

hahaha so in other words the NSA / Cia are attacking Linux and using cyrillic characters.

39
0
Would love your thoughts, please comment.x
()
x