Industry News

Russia’s GRU Military Unit Behind Previously Unknown Linux Malware, NSA Says

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have revealed the existence of a new piece of malware named Drovorub, most likely developed by a military unit of the Russian General Staff Main Intelligence Directorate (GRU.)

Suspected GRU involvement in developing tools used in cyberattacks is nothing new. What makes the NSA and FBI’s advisory different is the reveal of a new malware called Drovorub, designed to infect Linux systems and help compromise the target computer.

Cyber activity from military unit 26165 attached to the GTsSS used the cover of other groups, like APT28, or Fancy Bear. According to the NSA and FBI, the unit developed this new Linux threat, although the federal agencies didn’t say if it was an active threat or if they caught it before it could do any damage.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server” says the advisory. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.”

Identifying this malware is a difficult process, especially on a local level. According to the advisory, packet inspection at network boundaries is useful to detect Drovorub on networks, including probing, security products, live response, memory analysis and media (disk image) analysis.

Detection of the malware on host machines is much more difficult because it hides and is coupled with a dedicated kernel module.

The law enforcement agencies published several mitigations and detection techniques, each with its strengths and weaknesses. While no specific patches are available, at least not yet, system administrators have to update the Linux kernel on their machines to at least 3.7.x, which features a more efficient kernel signing enforcement.

System owners have to make sure that the Linux kernels only load modules with valid digital signatures, making it much more complicated for an attacker to introduce a malicious kernel module.

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have revealed the existence of a new piece of malware named Drovorub, most likely developed by a military unit of the Russian General Staff Main Intelligence Directorate (GRU.)

Suspected GRU involvement in developing tools used in cyberattacks is nothing new. What makes the NSA and FBI’s advisory different is the reveal of a new malware called Drovorub, designed to infect Linux systems and help compromise the target computer.

Cyber activity from military unit 26165 attached to the GTsSS used the cover of other groups, like APT28, or Fancy Bear. According to the NSA and FBI, the unit developed this new Linux threat, although the federal agencies didn’t say if it was an active threat or if they caught it before it could do any damage.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server” says the advisory. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.”

Identifying this malware is a difficult process, especially on a local level. According to the advisory, packet inspection at network boundaries is useful to detect Drovorub on networks, including probing,
security products, live response, memory analysis and media (disk image) analysis.

Detection of the malware on host machines is much more difficult because it hides and is coupled with a dedicated kernel module.

The law enforcement agencies published several mitigations and detection techniques, each with its strengths and weaknesses. While no specific patches are available, at least not yet, system administrators have to update the Linux kernel on their machines to at least 3.7.x, which features a more efficient kernel signing enforcement.

System owners have to make sure that the Linux kernels only load modules with valid digital signatures, making it much more complicated for an attacker to introduce a malicious kernel module.

About the author

Silviu STAHIE

Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between. He's passionate about security and the way it shapes the world, in all aspects of life. He's also a space geek, enjoying all the exciting new things the Universe has to offer.