NSA and FBI publish details on Linux malware ‘from Russian state hackers’

The NSA and FBI publish in a joint document the details of Drovorub, a hitherto unknown toolset containing Linux malware that was allegedly deployed by the team of Russian state hackers referred to by the names Fancy Bear and APT28.

Specifically targeting Linux systems, Drovorub consists of an implant with a kernel module root kit, a port forwarding tool and a file transfer tool, along with a command & control server. In the event of a successful attack, Drovorub can communicate directly with the C&C server and thus, for example, transfer or download files and execute commands as root on an affected system. In addition, the toolkit has techniques that make detection on the host more difficult. The NSA and the FBI write this in their report on Drovorub.

The malware is said to have not been previously described and was allegedly deployed by the Russian military unit 26165 of the GRU, a team of state hackers known by security companies as Fancy Bear, APT28 and Strontium. The FBI and NSA advise system administrators to update to Linux kernel 3.7 because of the support for signed kernel modules. With that, every kernel module that is loaded must be signed with a key compiled into the kernel.

The American security services do not provide details about the deployment by the Russian state hackers and it is therefore not clear which targets they had in mind. In the document, the Americans state that the information is released so that administrators of secure systems and others can keep the Russians off their systems. In doing so, they make a link with the interference in the 2016 presidential elections as an example of the threat posed by the state hackers.

In an additional statement, the NSA reports that the malware poses a threat to the government because, for example, systems of the Ministry of Defense run on Linux. The organization calls on those involved to take action against Drovorub. According to research, the name comes from drovo, Russian for wood and rub, which can be translated as chopping. However, Drova would also be used to drivers to point out. A salient detail is that the Twitter account of an American offensive cyber attacks unit refers to the investigation and there Russia Today points out. Russia Today is seen by critics as a propaganda channel of the Russian government.