Drovorub

The National Security Agency and the Federal Bureau of Investigation released a joint cybersecurity advisory about a newly discovered malware deployed by the Russian government.

Drovorub, or “woodcutter,” is a malware toolset that allows hackers to take control of infected Linux systems and has several sophisticated means of evading detection. In their joint advisory statement, the NSA and FBI attributed it to the Russian General Staff Main Intelligence Directorate 85th Main Special Service Center unit 26165, more widely known as FancyBear, Strontium, or APT 28, and indicated that its primary use was in cyberespionage.

“Drovorub represents a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems,” stated the press release accompanying the advisory.

The advisory contains a detailed description of Drovorub, including how it is deployed, configured, and evades detection. While it includes methods to mitigate an infected system, the agencies also urge system administrators to update to Linux Kernel 3.7 or later.