In an unprecedented strategic move, the NSA and FBI have released a highly detailed analysis of a previously undisclosed piece of Linux malware that the agencies directly attributed to APT28, a group that is part of the Russian GRU military intelligence agency.
The United States government has published many other analyses of malware and tools used by threat actors associated with foreign governments, usually those used by actors from North Korea and China. Those reports are typically from the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency arm and sometimes follow on reports from private sector security researchers. While the NSA tracks state threat actors closely, the agency rarely, if ever, discusses the details of those groups’ operations or tools publicly. The timing and detailed attribution in the report published Thursday on malware known as Drovorub are also interesting, given that the U.S. intelligence community has pointed the finger at APT28 for interfering in the 2016 presidential election.
“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. Presidential Election,” the report says.
In the analysis, the NSA and FBI identify a specific unit of the GRU’s Main Special Service Center as the one deploying the Drovorub malware.
“Drovorub is proprietary malware developed for use by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers,” the report says.
“In addition to NSA's and FBI's attribution to GTsSS, operational Drovorub command and control infrastructure has been associated with publicly known GTsSS operational cyber infrastructure.”
Specifically, one IP address that Microsoft researchers publicly identified as being used by APT28 last spring was also used to access the Drovorub C2 infrastructure, the report says.
Drovorub comprises four separate modules that have a wide range of capabilities, including persistence, port forwarding of network traffic, the ability to hide on a compromised system, and downloading and uploading files to and from remote C2 servers. The functionality itself is not atypical for high-level custom malware deployed by APT groups, but the targeting of Linux systems specifically is somewhat unusual, as many of the publicly known tools used by these groups are designed to target Windows.
“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor- controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the report says.
The NSA/FBI report did not call out any specific organizations or even industries that have been targeted by the Drovorub malware.