Russia’s elite state-run hacking groups are known as some of the best in the biz, with a history of attacks stretching back well beyond what we saw during the last presidential election. Now, the NSA and FBI are giving us a window into one of the latest tricks of the trade these malevolent actors use when sneaking through computer software: “Drovorub.”
The two agencies outlined the specs on this new strain of Russian malware in a joint security memo released yesterday. According to the team, the malware was engineered by the cyber-espionage group Fancy Bear, best known for allegedly targeting everything from the U.S. Democratic National Committee to the U.S. Department of Energy.
According to the teams behind the report, the name “Drovorub” — which the US cybersecurity team just found embedded in some of the files associated with this malware — roughly translates into English as “chopping down a tree”: from drovo (дрово) which means “firewood,” and rub (руб) which means “to fell.” Per the team, this strain of malware was the culprit behind a wave of 2019 cyber attacks against an untold number of corporate printers, VoIP phones, and other IoT devices.
The full advisory is a whopping 45 pages explaining the ins and outs of how this specific strain of malware operates. According to the documents, Drovorub is specifically engineered to break into computers running older versions of Linux Kernel. The Department of Defence itself and associated defence contractors have been known to run Linux for a variety of purposes. Once inside those vulnerable systems, the malware can download or upload any files from the infected device, or execute any other sorts of “arbitrary commands.”
As one cybersecurity researcher told ZDNet, it’s kind of like the “swiss-army knife” of Russian malware that can give the attacker near-complete control over the device in question, along with any files it might have stored therein — which isn’t great if the device belongs to a government contractor.
That said, even though the feds are the main target that Fancy Bear might be setting their sights on, they’re far from the only folks at risk from these sorts of shenanigans. Back in 2017, researchers found this group tapping into the wifi networks in popular hotel chains, which would leave the door open to a guest getting their email addresses and passwords — and potentially their credit card details — siphoned off. More recently, we’ve also seen them attack Democratic think tanks, a Ukrainian Gas company, and more than a dozen athletic organisations that were accusing Russia of doping its Olympic athletes.
The main purpose of the FBI’s alert — and the more than 40 pages of notes that came along with it — is to “raise awareness” among the IT crowds across the country, so they aren’t blindsided by these sorts of bad actors before it’s too late. Luckily there’s a stupendously easy recommendation to avoid the damaging and hard-to-detect Drovorub: run any Linux Kernel released after 2012.
Or at least that should be easy. Huge, slow-moving organisations like the DoD struggle with running up-to-date software. Considering we’re already seeing some malware-y threats targeting the coming election, maybe this could be a good reminder to, uh, upgrade those systems.