Russian military targeting Linux systems with Drovorub malware

Critical US national security systems running Linux are being targeted with malware as part of cyber espionage campaign spearheaded by a division of the Russian military, also known as Fancy Bear or ATP28.

The Drovorub malware is targeting Linux systems operated by US national security agencies, the Department of Defense, and the US government’s industrial assets directly relevant to producing equipment for armed forces.

The malware is being deployed by the division of the GRU, also publicly known as Strontium, as part of the organisation’s cyber espionage operations, according to an advisory published by the FBI and the NSA.

The jointly-published advisory offers detailed technical information on Drovorub, guidance on how to detect the malware on infected systems, and mitigation recommendations. The malware itself compromises an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server.

When deployed on a Linux machine, the Drovorub client paves the way for direct communication with the C2 infrastructure, allowing for file download and upload capabilities, execution of arbitrary commands as "root", and port forwarding of network traffic to other hosts on the network. The malware also implements hiding techniques to evade detection.

"This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," said NSA cybersecurity director Anne Neuberger.

"By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action," she said. "Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together."

The advisory suggests that organisations running Linux systems to apply any system updates immediately, by continually checking for the latest version of vendor-supplied software. Specifically, system administrators should update to Linux Kernel 3.7 or later in order to take advantage of kernel signing enforcement.

System owners are also being advised to configure their systems to load only modules with a valid digital signature, making it more difficult for a hacker to introduce a malicious kernel module into the system.

System administrators should also activate UEFI-Secure Boot to ensure only signed kernel modules can be loaded. This would, of course, require a UEFI-compliant platform configured in UEFI native mode in Thorough or Full enforcement mode.

"For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information," said FBI assistant director, Matt Gorham.

"This joint advisory with our partners at NSA is an outstanding example of just that type of sharing," he added. "We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors."

Research from Blackberry outlined earlier this year previously identified Chinese-sponsored hackers as targeting Linux servers in order to steal intellectual property. Compromising Linux web servers in this way that these hackers had done allowed them to steal massive amounts of data disguised as conventional web traffic.