And what is the problem? Russian and American labs are developing software to spy against each other. It is not forbidden by any international treaty. So what one could expect - that Russia unilaterally stop such an activity? It would be illogical step.
"Drovorub" is a garden variety RAT, or Remote Access Tool. The US government like to use the word "implant" to describe these things, including the versions that they make.
Drovorub doesn't give you a way to break into a Linux system. You need to find some other way of doing that, such as for example convincing someone to give you their passwords.
What Drovorub does is once you have gotten access, you install it and it allows you to get back in again later and do things like copy files. When those helpful chaps in India call you up and claim they are from Microsoft and ask you to install a commercial remote access product because "you have a virus", they're getting you to install something equivalent to Drovorub.
The security services of many countries buy their versions from commercial vendors, with companies in Israel and Italy being the leading vendors. Some other countries such as the US write their own custom versions, which aren't necessarily any better than what they can buy from commercial vendors, except perhaps for being more closely tailored to their own needs.
Here's the official US analysis of Drovorub.
What is Drovorub?Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool,and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure (T1071.0011); file download and upload capabilities (T1041); execution of arbitrary commands as "root" (T1059.004); and port forwarding of network traffic to other hosts on the network(T1090). The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices (T1014), and persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode.
The document mentions that normal kernel signing will prevent Drovorub from working. All of the major commercial Linux distros that I am aware of have had this for years. It's pretty difficult today, and has been for years in fact, to find a PC or server without UEFI boot (which requires kernel signing to even boot up). They mention in the following quote that Linux Kernel 3.7 or later is required to use this. Kernel 3.7 came out in 2012.
To prevent a system from being susceptible to Drovorub’s hiding and persistence, system administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actorto introduce a malicious kernel module into the system.
Given the above I would not be surprised if Drovorub was obsolete and no longer in use. None of the news reports on it that I have seen have reported actually seeing any instances of it in use in commercial settings.
The Russian security services have dumped copies of American RATs to public servers, embarrassing the NSA, and I suspect this is a continuing tit-for-tat response from the Americans.