National Security Agency (NSA) and Federal Bureau of Investigation (FBI) personnel have issued a new Cybersecurity Advisory regarding previously undisclosed Russian malware.
The NSA and FBI said the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165 is deploying malware called Drovorub – designed for Linux systems as part of its cyberespionage operations.
“This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” NSA Cybersecurity Director Anne Neuberger said. “By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”
Authorities indicated Drovorub consists of an implant coupled with a kernel module rootkit, a file transfer, and port forwarding tool, and a command and control (C2) server, adding when deployed on a victim machine it enables direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection.
“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” FBI Assistant Director Matt Gorham said. “This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”