This article is more than 1 year old

This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

From Russia, with love

The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew.

Uncle Sam explicitly said on Thursday the miscreants – formally known as the 85th Main Special Service Center (GTsSS) – operate within the Russian intelligence directorate, aka the GRU. The software nasty in question is Drovorub, a rootkit designed to infect Linux systems, take control of them, and siphon off files. It is used against very particular targets that are valuable to the Kremlin, so before you panic, bear that in mind – no pun intended.


GRU won't believe it: UK and US call out Russia for cyber-attacks on Georgia last year


"When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 [command and control] infrastructure; file download and upload capabilities; execution of arbitrary commands as root; and port forwarding of network traffic to other hosts on the network," the NSA and FBI said in their detailed teardown [PDF] of the malware.

What is particularly nasty about the malicious code is its kernel module, which runs at the heart of the operating system. This hooks into the kernel to intercept and filter system calls so that users, administrators, and automated antivirus tools cannot see its files on disk nor observe its activities. It's not impossible to detect if you specifically look for signs of it, though, it seems.

"A number of complementary detection techniques effectively identify Drovorub malware activity," the two agencies said. "However, the Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale."

That the Fancy Bear crew would be the ones to wield something like this is not surprising. This military unit – also known as APT28 and Strontium – is far more sophisticated and organized than your common or garden hacker gang, judging from its past exploits.

... the Drovorub-kernel module poses a challenge to large-scale detection ...

While the FBI and NSA didn't discuss this aspect of the operation, the Fancy Bear crew tends to work on extremely high-value areas that the Kremlin has an interest in – things like foreign governments, technology blueprints, commercial deals, and compromising information aka kompromat.

Most notably, the outfit was connected to the 2016 infiltration of the US Democratic Party's computers ahead of the Presidential elections that year, and the 2019 targeting of the World Anti Doping Agency.

The advice from the US government agencies is to block untrusted or unexpected kernel modules, and keep your Linux installations fully up to date with kernel signing enforced. And use kernel version 3.7 or later, apparently. This is just so you have a fighting chance of detecting the thing if it turns up on your computers.

These steps alone won't protect you against the spear-phishing techniques and zero-day vulnerabilities Fancy Bear uses to get Drovorub onto networks in the first place. If you think you'll be a target of the GRU, you'll need to figure out how to ward off or minimize these sorts of attacks yourself.

In their advisory, the Feds noted its advice is "not meant to protect against the initial access vector. The mitigations are designed to prevent Drovorub’s persistence and hiding technique only." ®

More about


Send us news

Other stories you might like