Publicly known GRU malware C&C infrastructure??? If it's became "public", wouldn't they move from it immediately? Also I guess evil GRU hackers are too stupid to use technologies like I2P, Tor, or even something simpler like Bitmessage and route control traffic via botnets of hacked routers and IoT appliances.
>The name Drovorub comes from a variety of artifacts discovered in Drovorub files and from operations conducted by the GTsSS using this malware
So they again found some Cyrillic letters in binary dumps and used it for attribution? Can we download those artifacts and see for ourselves? Or should we simply trust gentleman's word?
And if I haven't missed something the report contains a lot of unimportant noise, but fails to explain how this malware gets into systems in the first place.
Yeah, these always get me, you see attribution almost every time an alphabet agency goes to the media with malware they analyzed, but it's never reported to be more sophisticated than "a д showed up in the hex dump."
"Drovorub is proprietary malware developed for use by the Russian General Staff Main Intelligence
Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. GTsSS malicious
cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28,
Strontium, and a variety of other identifiers. (Department of Justice, 2018) (Washington Post, 2018)
In addition to NSA's and FBI's attribution to GTsSS, operational Drovorub command and control
infrastructure has been associated with publicly known GTsSS operational cyber infrastructure. For one
example, on August 5, 2019, Microsoft Security Response Center published information linking IP
address 188.8.131.52 to Strontium infrastructure in connection with the exploitation of Internet of
Things (IoT) devices in April 2019. (Microsoft Security Response Center, 2019) (Microsoft, 2019) NSA
and FBI have confirmed that this same IP address was also used to access the Drovorub C2 IP address
184.108.40.206 in April 2019."
So unless they were sharing 220.127.116.11 with a different malware group (in addition to the other indications that are not mentioned), this seems like pretty good evidence that they share attribution.
This assumes the NSA was able to infiltrate the Drovorub C2 server, I guess.
If it does, that's an easy claim to prove.
I thought I had read that incorrectly in previous reports, but I guess not. Which major distributions still have supported releases running 3.7?! I'm guessing it's gotta be RedHat and older Ubuntu LTS releases? Everything I currently have access to seems to be running at least the 4.x series.
So the most vulnerable would probably be legacy systems or old servers riddled with technical debt?
No, RHEL 7 and thus CentOS 7 ship with kernel 3.10 (see https://en.wikipedia.org/wiki/RHEL and https://access.redhat.com/articles/rhel-limits).
You mean the systems that run our banking infrastructure? The systems that run the power grid? Or the ones that run in embedded devices?
Perhaps the Russians intentionally targeted an older version knowing that our most important systems are often legacy and old.
Running an old, battle hardened kernel that gets the occasional bug fix/security patch is about as stable as you can get in software.
Systems are as stable as their most vulnerable components. I don't think that's a contentious notion at all.
I am from Moscow, I had relatives from Ryazan and Verholensk, for me drovokol is a specialised axe for splitting firewood, lesorub (and it's forest+chop, not wood, wood is only called les by people who sell it, we buy drevesina) is a person who cuts trees in the forest as a job, drovosek is a person who cuts trees for firewood as a job, drovoseksual is a person sexually attracted to trees, and drovorub sounds like a word that somebody both from Verholensk and Ryazan could say.
How did you come up with that bit of fantasy?
> Drovorub (rus. Drovosek)
Here is also a wiktionary page for "drovorub":
It clearly identifies this word as Ukrainian.
When an authoritative statement starts off like that there’s a high chance it’s misinformation or FUD, as corrected in other replies.