FBI and NSA Disclose Malware Used by Russia’s ‘Fancy Bear’

The U.S. National Security Agency and the Federal Bureau of Investigation warned that hackers from Russia’s military intelligence unit created malware to spy on Linux systems widely used by the U.S. defense industry.

The previously undisclosed malware is called “Drovorub” and was created by the Russian hacking group known as “Fancy Bear,” part of the GRU military intelligence unit. The disclosure on Thursday in a cybersecurity advisory is intended to “counter the capabilities of the GRU” -- a unit whose hackers became infamous for their cyber-attacks in the lead-up to the U.S. presidential election in 2016.

“This malware represents a very significant threat,” Keppel Wood, chief operations officer in the NSA’s cybersecurity directorate, said in an interview. She added that national security systems, the Department of Defense, the defense industrial base and the larger cybersecurity community rely on Linux-based systems, meaning that “this threat has potential to be widespread, especially if network defenders don’t take action against it.”

The advisory contains over 40 pages of technical detail about Drovorub, a name derived from the hacking code that translates to “woodcutter” or “to split wood.” The malware can take control of systems and move data on and off of them, and it is particularly dangerous because it is designed specifically to evade detection, according to the NSA.

The advisory calls out the GRU hacking unit that is under active investigation by the FBI, according to Mike Herrington, a member of the FBI’s cyber division. “This fits into the framework of a long-running investigation into this group,” he said of the advisory.

According to the advisory, the GRU “continues to threaten the United States and U.S. allies as part of its rogue behavior.”

The public disclosure of the malware is intended to spur network defenders to take protective actions, such as updating their Linux systems. “By constructing this capability and providing attribution analysis, and mitigations, we hope to empower our customers, partners and allies to take action,” NSA Cybersecurity Director Anne Neuberger said in the advisory.

The NSA warning is making it more difficult for the GRU break into networks and “increasing the risk of detection when they are operating on the internet by allowing the private sector to detect this information on their own and not relaying solely on the FBI and the intelligence community and our partners to inform them when we find it ourselves,” Herrington said.

The release -- one of 19 such public disclosures since October -- is also part of a broader NSA attempt to be more transparent about its cybersecurity work. “We recognize that to be a strong partner we need to build trust with the greater cybersecurity community and be transparent about our contributions,” Wood said. “As an intelligence agency we have historically been reticent to talk publicly about our work as I’m sure has been apparent in the past, and that’s really changing right now.”

©2020 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.