NSA and FBI expose Russian previously undisclosed malware “Drovorub”

August 14, 2020

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a new Cybersecurity Advisory about previously undisclosed Russian malware.

According to the NSA and FBI, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28, is deploying malware called Drovorub, designed for Linux systems as part of its cyber espionage operations. Further details on Drovorub, to include detection techniques and mitigations, can be found in the joint NSA and FBI Cybersecurity Advisory.

"This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats," NSA Cybersecurity Director Anne Neuberger said. "By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together."

“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said FBI Assistant Director Matt Gorham. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”

Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server, say the agencies. When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.

According to Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, “The analysis of “Drovorub” provides a reminder that Russian offensive cyber capabilities remain in the top tier of nation states. It’s pleasing to see the NSA / FBI’s alert identify the Tactics, Techniques and Procedures (TTP) used by “Drovorub” to map against the MITRE ATT&CK framework. That mapping provides practical help to security teams needing to quickly validate their technical controls and their ability to detect the various stages of attacker behaviors, such as Drovorub’s diverse use of stealthy command and control techniques.”

Drovorub represents a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems. Network defenders and system administrators can find detection strategies, mitigation techniques, and configuration recommendations in the advisory to reduce the risk of compromise, say the agencies.

Read the Fact Sheet and FAQ here.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.