Hacker News new | past | comments | ask | show | jobs | submit login
FBI release a report on Russian Linux Malware called Drovorub [pdf] (defense.gov)
118 points by Adiauxin 38 days ago | hide | past | favorite | 51 comments

>In addition to NSA's and FBI's attribution to GTsSS, operational Drovorub command and control infrastructure has been associated with publicly known GTsSS operational cyber infrastructure

Publicly known GRU malware C&C infrastructure??? If it's became "public", wouldn't they move from it immediately? Also I guess evil GRU hackers are too stupid to use technologies like I2P, Tor, or even something simpler like Bitmessage and route control traffic via botnets of hacked routers and IoT appliances.

>The name Drovorub comes from a variety of artifacts discovered in Drovorub files and from operations conducted by the GTsSS using this malware

So they again found some Cyrillic letters in binary dumps and used it for attribution? Can we download those artifacts and see for ourselves? Or should we simply trust gentleman's word?

And if I haven't missed something the report contains a lot of unimportant noise, but fails to explain how this malware gets into systems in the first place.

>So they again found some Cyrillic letters in binary dumps and used it for attribution?

Yeah, these always get me, you see attribution almost every time an alphabet agency goes to the media with malware they analyzed, but it's never reported to be more sophisticated than "a д showed up in the hex dump."

Attribution probably gets into some classified tradecraft most of the time.

Ahh yes, the "inverse conspiracy theory." The government is secretly competent. ;)

Read the article. Microsoft published details about an attack from April 2019 using an IP. This malware used the same IP for a different attack, also in April 2019.

A single IP address? Really?

Here are the contents of the "attribution section:"

"Drovorub is proprietary malware developed for use by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers. (Department of Justice, 2018) (Washington Post, 2018) (CrowdStrike, 2016)

In addition to NSA's and FBI's attribution to GTsSS, operational Drovorub command and control infrastructure has been associated with publicly known GTsSS operational cyber infrastructure. For one example, on August 5, 2019, Microsoft Security Response Center published information linking IP address to Strontium infrastructure in connection with the exploitation of Internet of Things (IoT) devices in April 2019. (Microsoft Security Response Center, 2019) (Microsoft, 2019) NSA and FBI have confirmed that this same IP address was also used to access the Drovorub C2 IP address in April 2019."

So unless they were sharing with a different malware group (in addition to the other indications that are not mentioned), this seems like pretty good evidence that they share attribution.

My bad, I was under the impression that they were trying to say the attack came from a single IP address only.

> The Drovorub-server uses a MySQL database to manage the connecting Drovorub-client(s) and Drovorub-agent(s).

This assumes the NSA was able to infiltrate the Drovorub C2 server, I guess.

They have the server software. There's a couple ways they could get it. 1.) They could have hacked the C2 server or a development network, like you are talking about. 2.) The server could be forward deployed to a cloud provider or other infrastructure and law enforcement served a subpoena for a copy of the cloud server. The second seems just as likely as the first.

Or they could have just bought a copy from a compromised developer. Real world spying happens a lot too.

Yeah, there's a lot of other ways they could have gotten it.

Not necessarily. You could probably infer it from a MySQL client in the malware itself and the queries its making to tables and such.

They know specific commands and configurations for the "drobovur-server" which is the "Command and Control (C2) Server." This makes me think they have the actual server software and probably some sort of operational deployment.

That sounds reaaally unlikely. If the malware shipped a mysql client the NSA would definitely be able to pop the mysql server it connects to.

the point wasnt whether or not they could or did. the point was that it could be inferred based on what sql client the malware client was using without ever touching the sever.

It is extraordinarily unlikely that the malware would ship with a mysql client or talk mysql with the C2

If it does, that's an easy claim to prove.

Read the document. They have the server software. They have configuration files for the server, they know how it processes communication, they know how it generates UUID's. They have the server software.

Why RTFA when I can make baseless speculations? :D

link is broken now.

> Linux Kernel 3.7

I thought I had read that incorrectly in previous reports, but I guess not. Which major distributions still have supported releases running 3.7?! I'm guessing it's gotta be RedHat and older Ubuntu LTS releases? Everything I currently have access to seems to be running at least the 4.x series.

So the most vulnerable would probably be legacy systems or old servers riddled with technical debt?

Centos/RHEL 6 is still 'supported' through Nov 2020, and ships with 2.6 kernel. Centos/RHEL 7 ships with 3.1, and will be supported through June 2024.

> Centos/RHEL 7 ships with 3.1,

No, RHEL 7 and thus CentOS 7 ship with kernel 3.10 (see https://en.wikipedia.org/wiki/RHEL and https://access.redhat.com/articles/rhel-limits).

CentOS / RHEL7 ships with Linux 3.10. That is not the same as 3.1.

Which Centos shipped with 3.11 for workgroups?

Ed: yes, 3.10, not 3.1. The issue reported was in 3.17, IIRC.

> So the most vulnerable would probably be legacy systems or old servers riddled with technical debt?

You mean the systems that run our banking infrastructure? The systems that run the power grid? Or the ones that run in embedded devices?

Perhaps the Russians intentionally targeted an older version knowing that our most important systems are often legacy and old.

Geez, I'm running 5.8.1. Why is RHEL so slow?

Stability for enterprise customers is priority #1

They maintain their own tree and backport the necessary features.

Also 2.4 and 2.6 is _really_ rock solid. Things were at a slower pace back then.

I don't think running older software automatically equals stability, and is a false sense of security. There are a lot of tools and techniques to automatically handle issues with software that are transparent to the end user.

The very definition of stable is "not changing".

Running an old, battle hardened kernel that gets the occasional bug fix/security patch is about as stable as you can get in software.

Which dictionary? Stability doesn't mean the software can't change. It has more to do with not being broken, than not changing. The latest stable Linux kernel is 5.8.3.

Stability and security are two different things.

In this instance I meant security, as in to feel secure. Like a security blanket.

This is true if the software isn't being maintained. I rely on a few deprecated utilities that are stable in the very limited sense that they will likely never break on their own in the current way they are being used. They doesn't mean they're not currently vulnerable.

Systems are as stable as their most vulnerable components. I don't think that's a contentious notion at all.

Lol. Except no Russian ever would say "drovorub". It's either "drovokol" (firewood + chop) or "lesorub" (wood + cut). Seems like only Ukranians say "drovorub".

You know regional differences exist?


I am from Moscow, I had relatives from Ryazan and Verholensk, for me drovokol is a specialised axe for splitting firewood, lesorub (and it's forest+chop, not wood, wood is only called les by people who sell it, we buy drevesina) is a person who cuts trees in the forest as a job, drovosek is a person who cuts trees for firewood as a job, drovoseksual is a person sexually attracted to trees, and drovorub sounds like a word that somebody both from Verholensk and Ryazan could say.

Thinking about it more, trying to recall conversations with my father and actually reading the story I linked above, I feel that the difference between drovosek and drovorub is that drovosek's job is in the beginning of the process of turning trees into firewood, and drovorub is in the end. So drovosek turns trees into the firewood, and drovorub makes firewood into a proper size.

> [... “Re: malware name ‘Drovorub,’ which as @NSACyber points out translates directly as ‘woodcutter,’” Alperovitch, a co-founder and former CTO of security firm CrowdStrike, wrote on Twitter. “However, more importantly, ‘Drova’ is slang in Russian for ‘drivers,’ as in kernel drivers. So the name likely was chosen to mean “(security) driver slayer." ...]: https://arstechnica.com/information-technology/2020/08/nsa-a...

First thing that came to my mind was woodcutter = logger.

While I upvoted your native insight regarding present-day language and I agree that the name is stupid, I can nitpickingly Ctrl+F "дроворуб", explained already in the 19th century as an obsolete or Siberian word, in the "ДРОВА" entry of Dahl's dictionary: http://slovardalja.net/word.php?wordid=7571

Also could be "drovosek". But you need to understand that GRU officers are so obsessed with America that they practice their English all the time and their Russian becomes neglected because of that. Look at the API they designed - not a single Russian word or a misused English word! They probably achieve this by beating you up if you say anything in Russian in the office as seen in the documentary "Americans".

"Seems like only Ukranians say "drovorub"."

How did you come up with that bit of fantasy?

Here is an Ukrainian wiki page describing Malevich's painting "Woodcutter":


> Drovorub (rus. Drovosek)

Here is also a wiktionary page for "drovorub":


It clearly identifies this word as Ukrainian.

Never heard it used, but fair enough.

> Lol. Except no Russian ever would say "drovorub".

When an authoritative statement starts off like that there’s a high chance it’s misinformation or FUD, as corrected in other replies.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact