Also serving the communities of De Luz, Rainbow, Camp Pendleton, Pala and Pauma

NSA and FBI expose Russian previously undisclosed malware Drovorub in cybersecurity advisory

WASHINGTON – The National Security Agency and the FBI released a new cybersecurity advisory about previously undisclosed Russian malware.

The Russian General Staff Main Intelligence Directorate 85th Main Special Service Center military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium or APT 28, is deploying malware called Drovorub, designed for Linux systems as part of its cyber espionage operations. Additional details on Drovorub, to include detection techniques and mitigations, can be found in the joint NSA and FBI Cybersecurity Advisory.

“This cybersecurity advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” Anne Neuberger, cybersecurity director of the NSA, said. “By deconstructing this capability and providing attribution, analysis and mitigations, we hope to empower our customers, partners and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”

“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental and international partners through the timely, proactive sharing of information,” Matt Gorham, assistant director of the FBI, said. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”

Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control server. When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network and implements hiding techniques to evade detection.

Drovorub represents a threat to National Security Systems, Department of Defense and Defense Industrial Base customers that use Linux systems. Network defenders and system administrators can find detection strategies, mitigation techniques and configuration recommendations in the advisory to reduce the risk of compromise.

More information is available on NSA’s fact sheet at https://www.nsa.gov/Portals/70/documents/resources/cybersecurity-professionals/DROVORUB-Fact%20sheet%20and%20FAQs.pdf.

Submitted by National Security Agency.

 

Reader Comments(0)