A joint security advisory from the Federal Bureau of Investigations (FBI) and the National Security Agency (NSA) is not a common occurrence. Neither, for that matter, are Linux security warnings.
The joint cybersecurity advisory in question, issued on August 13, takes a very technical deep dive into a Linux cyberespionage toolkit the agencies have dubbed "Drovorub."
Drovorub is described as being "a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server." A real killer of security drivers if ever there was.
A complete system infiltration and spying kit, enabling a backdoor into compromised networks that can be opened very stealthily by the threat actors, in other words. And that threat actor, the FBI and NSA say, is APT28.
The advanced persistent threat (APT) group identified as APT28 is also commonly known as Fancy Bear. To be more precise, the hacking collective labeled as APT28 is said to be associated with military unit 26165, the GRU's 85th Main Special Service Center (GTsSS.) The FBI and NSA report reveals that Drovorub infrastructure has ties to the GTsSS infrastructure, and attributes the proprietary malware as being developed for use by them.
