Posted on August 14, 2020 at 6:16 PM
The NSA and FBI have jointly issued an alert with technical details about the Linux malware developed and deployed by Russia’s military hackers. The two agencies revealed that the Russian hackers planted backdoors inside hacked networks using the strain of malware called Drovorub.
According to the evidence both agencies provided regarding the attack, the NSA and FBI officials claim that the malware was developed and deployed by APT28, which is a code name for hackers operating from the Russian General Staff main intelligence directorate (GRU).
From the joint alert, the agencies are hoping to increase the level of awareness in both the US private and public sector about the malware. With awareness of what they are dealing with, the IT organization can quickly deploy detection rules to prevent the attacks.
From the report of both agencies, Drovorub is a multi-component system that has a command-and-control server, a port-forwarding module, a file transfer tool, a kernel module rootkit, and an implant.
McAfee’s Chief Technology Officer, Steve Grobman, revealed that the Drovorub malware is capable of performing several actions, which includes controlling the victim’s system remotely.
“The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time,” he reiterated.
Grobman further revealed that the U.S. is a big target for potential cyber-attacks. The main goal of the Drovorub malware was not revealed in the report, but it could include elect9ion interference and industrial espionage, says Grobman.
Preventing the attacks
The two agencies have recommended some ways organizations can prevent such attacks on their systems. To prevent the attacks, they recommended that the US organizations should quickly update their Linux systems to a recent version that runs version 3.7 or even a more recent version.
This will help the organizations take complete advantage of the kernel signing enforcement. Based on the advisory, the security feature will help to keep the APT8 hackers at bay, preventing them from the installation of Drovorub’s rookit.
The security alert also offers guidance on running Volatility, checking out Yara rules, Snort rules, and probing for file hiding behavior.
The Drovorub name is used for the APT28 malware, which was not given by the FBI or NSA. The name is derived from drovo, which means “wood” or “firewood” and rub, which means “to chop” or “to tell”.
The NSA and FBI said they connected Drovorub to APT 28 after the Russian hackers used the same hackers for different operations. For instance, both agencies reported that the malware was connected to a C&C server initially used for APT28 operations that target IoT devices last year. Microsoft had previously documented the IP address used by the hackers.
Alert necessary to create awareness
Although the alert doesn’t include any specific detail about the Drovorub victims, the agencies say the alert was necessary to create awareness about the Russian state-sponsored hackers and their operational activities around governments and large corporations.
This revelation is coming only a few months before the Americans go to the polls for the presidential election.
As stated by the agencies, the information contained in the advisory is intended to assist the National Security System owners and the public to provide counter-measures and prevent the infiltration of their systems by the Russian hackers.
The GRU has been seen as a hacking organization that has continued to threaten U.S. organizations, which include the interference of the United States presidential election four years ago. The agencies advised that this same group, responsible for the botched attack against U.S. elections in 2016, could try to repeat the same action as the 2020 presidential election draws nearer.
From the assessment of the US intelligence community, multiple foreign governments may want to compromise the US election infrastructure for different reasons. But what wasn’t clear is whether the Russian hackers were making use of Drovorub malware to disrupt the election efforts.