Army Rumour Service

Register a free account today to join our community
Once signed in, you'll be able to participate on this site, connect with other members through your own private inbox and will receive smaller adverts!

Dedicated Russian thread


r


The NSA and FBI have published a 45 page report (link to fact sheet) on the GRU (aka GU) exposing what they've called a sophisticated Russian hacking tool. Known as ' Drovorub' it's apparently to break into Linux-based computers. According to the fact sheet, run by the 85th Main Special Service Center (GTsSS) and is sometimes publicly associated with APT28, Fancy Bear, Strontium etc.
“Linux systems are used pervasively throughout National Security Systems, the Department of Defense, and the Defense Industrial Base - as well as the larger cybersecurity community writ large,” Keppel Wood, chief operations officer in the NSA’s Cybersecurity Directorate, told Reuters. “The malware has the potential to have a widespread impact if network defenders don’t take action against it.”

“Drovorub is a ‘Swiss Army knife’ of capabilities that allows the attacker to perform many different functions, such as stealing files and remote-controlling the victim’s computer,” said Steve Grobman, chief technology officer for cybersecurity company McAfee.
...............
“NSA is sharing this information to counter the capabilities of the GRU GTsSS, which continues to threaten the United States and its allies,” said the NSA’s Wood.
 

r


The NSA and FBI have published a 45 page report (link to fact sheet) on the GRU (aka GU) exposing what they've called a sophisticated Russian hacking tool. Known as ' Drovorub' it's apparently to break into Linux-based computers. According to the fact sheet, run by the 85th Main Special Service Center (GTsSS) and is sometimes publicly associated with APT28, Fancy Bear, Strontium etc.
And what is the problem? Russian and American labs are developing software to spy against each other. It is not forbidden by any international treaty. So what one could expect - that Russia unilaterally stop such an activity? It would be illogical step.
 
And what is the problem? Russian and American labs are developing software to spy against each other. It is not forbidden by any international treaty. So what one could expect - that Russia unilaterally stop such an activity? It would be illogical step.
It’s a warning. That your ‘crooks and thieves’ have a new tool on the books aimed at Linux based computers.

We all know what ‘Fancy Bear’ et al have done around the world, including WADA (noting Russia has now paid the doping fine), to attacks in The Hague etc.

I don’t see a problem with them sending out a warning. Do you?
 
It’s a warning. That your ‘crooks and thieves’ have a new tool on the books aimed at Linux based computers.

We all know what ‘Fancy Bear’ et al have done around the world, including WADA (noting Russia has now paid the doping fine), to attacks in The Hague etc.

I don’t see a problem with them sending out a warning. Do you?
Remarkably, Washington hasn't claimed that American labs never developed this sort software. If it is a problem then for Washington it would be logical to propose - we, the Americans and our allies will not develop such malware. Let's sing an agreement about global prohibition.
 
Demonstrations and meetings in support of jailed governor Furgal continue in the city of Khabarovsk. It is 5th week of permanent protests frequently with anti-Putin slogans.
Today 15 August it looks this way.

1597472298877.png
 
Remarkably, Washington hasn't claimed that American labs never developed this sort software. If it is a problem then for Washington it would be logical to propose - we, the Americans and our allies will not develop such malware. Let's sing an agreement about global prohibition.
Remarkably you’ve said this before. There is no point. There will be allegations of failing to comply with it and not all nations will sign up anyway. A bit like 9M729.

I don’t think singing will help either, even if it’s kumbaya :)
 
As an aside, today the 15th of August is the anniversary of the defeat of the Red Army at the Battle of Warsaw. It is exactly 100 years ago that Pilsudski smashed the advancing Muscovite horde who were confident that their offensive would carry them into the heart of a war-weary Europe to support the revolutions of the German, French and Italian proletariats and extend the empire of the new Red Tsars.
 
As an aside, today the 15th of August is the anniversary of the defeat of the Red Army at the Battle of Warsaw. It is exactly 100 years ago that Pilsudski smashed the advancing Muscovite horde who were confident that their offensive would carry them into the heart of a war-weary Europe to support the revolutions of the German, French and Italian proletariats and extend the empire of the new Red Tsars.
In centuries long Russo-Polish relations there were many wars, battles. Moscow was captured by the Poles and Warsaw was captured by the Russians.
4 centuries ago Russian and Poland were about equal powers and were historical contenders. As a result Russia became a great country and Poland remain just ordinary one. The victory in the battle of Warsaw didn't change it. It's history, nothing personal.
 
Rapacious expansion and authoritarian subjugation of neighbouring territories is not an indicator of greatness. Muscovy, having learned from its Mongol tutors, extinguished the separate development of the other Russian principalities. A large size is easier to achieve when you have an essentially open border to a relatively under-populated expanse of continent to colonise.
 
Rapacious expansion and authoritarian subjugation of neighbouring territories is not an indicator of greatness. Muscovy, having learned from its Mongol tutors, extinguished the separate development of the other Russian principalities. A large size is easier to achieve when you have an essentially open border to a relatively under-populated expanse of continent to colonise.
That's pretty much how every other large country in Europe was established, wasn't it? One local duke or small time king established ascendency over his neighbours and then continued to stretch it as far as he could.
 
That's pretty much how every other large country in Europe was established, wasn't it? One local duke or small time king established ascendency over his neighbours and then continued to stretch it as far as he could.

To a degree, yes, but these regions had similar values and socio-political organisation. However Muscovy imposed a harsher more despotic regime on the other Russias, an inheritance from the Mogols for whom it served as a tax-collector and enforcer. I tend to wonder how differently the history of the Russias might have turned out if Muscovy had been defeated early on and for example the Republic of Novgorod had become the pre-eminent Russian state. Or if the Mongols had not warped the very fabric of the nascent eastern Slavic states in the first place, destroyed Kievan Rus and enabled the rise of their client and usurper state Muscovy?
 
In centuries long Russo-Polish relations there were many wars, battles. Moscow was captured by the Poles and Warsaw was captured by the Russians.
4 centuries ago Russian and Poland were about equal powers and were historical contenders. As a result Russia became a great country and Poland remain just ordinary one. The victory in the battle of Warsaw didn't change it. It's history, nothing personal.
Wasn’t Poland taken by Russia after Germany had rolled through and held them down for 6 years?

It’s curious that when freedom came to Poland my favourite barber went back, whereas when ‘freedom’ came to Russia the mafia and their paid off corrupt officials took the riches making themselves billionaires and left Russia for London

For years he had a collection box for Soldiarity, and when they gained power and I went for a haircut expecting to discuss the good news I instead found a piece of paper stuck in the window saying ‘Closed, gone home’
 
And what is the problem? Russian and American labs are developing software to spy against each other. It is not forbidden by any international treaty. So what one could expect - that Russia unilaterally stop such an activity? It would be illogical step.
"Drovorub" is a garden variety RAT, or Remote Access Tool. The US government like to use the word "implant" to describe these things, including the versions that they make.

Drovorub doesn't give you a way to break into a Linux system. You need to find some other way of doing that, such as for example convincing someone to give you their passwords.

What Drovorub does is once you have gotten access, you install it and it allows you to get back in again later and do things like copy files. When those helpful chaps in India call you up and claim they are from Microsoft and ask you to install a commercial remote access product because "you have a virus", they're getting you to install something equivalent to Drovorub.

The security services of many countries buy their versions from commercial vendors, with companies in Israel and Italy being the leading vendors. Some other countries such as the US write their own custom versions, which aren't necessarily any better than what they can buy from commercial vendors, except perhaps for being more closely tailored to their own needs.

Here's the official US analysis of Drovorub.

What is Drovorub?Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool,and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure (T1071.0011); file download and upload capabilities (T1041); execution of arbitrary commands as "root" (T1059.004); and port forwarding of network traffic to other hosts on the network(T1090). The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices (T1014), and persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode.

The document mentions that normal kernel signing will prevent Drovorub from working. All of the major commercial Linux distros that I am aware of have had this for years. It's pretty difficult today, and has been for years in fact, to find a PC or server without UEFI boot (which requires kernel signing to even boot up). They mention in the following quote that Linux Kernel 3.7 or later is required to use this. Kernel 3.7 came out in 2012.
To prevent a system from being susceptible to Drovorub’s hiding and persistence, system administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actorto introduce a malicious kernel module into the system.

Given the above I would not be surprised if Drovorub was obsolete and no longer in use. None of the news reports on it that I have seen have reported actually seeing any instances of it in use in commercial settings.

The Russian security services have dumped copies of American RATs to public servers, embarrassing the NSA, and I suspect this is a continuing tit-for-tat response from the Americans.
 
Top