The National Security Agency and FBI exposed a hacking tool used by Russian military intelligence, issuing an advisory on Thursday warning that the previously undisclosed Russian malware posed a threat to U.S. government networks.
The NSA and the bureau jointly called out the Russian General Staff Main Intelligence Directorate, commonly known as the GRU, and its 85th Main Special Service Center (or GTsSS) military unit 26165, which has been dubbed Fancy Bear, Strontium, and Advanced Persistent Threat 28 by various groups in the private sector, alleging that the Russian hacking outfit is deploying malware called Drovorub designed to target Linux operating systems “as part of its cyber espionage operations.” The malware could give Russian intelligence hidden access to and control over a host of servers and networks, which the NSA and FBI said “represents a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers” that use Linux.
Robert Mueller’s special counsel report named GRU Unit 26165 as one of the two Russian intelligence groups behind Russia’s election interference efforts during the 2016 presidential election, including the hacking of the Democratic National Committee’s email systems and the provision of the purloined emails to WikiLeaks for dissemination. The special counsel “did not establish” any criminal conspiracy between any Russians and anyone in President Trump’s orbit.
A fact sheet released by the FBI and NSA on Thursday said that “we’re sharing this information with our customers and the public to counter the capabilities of the GRU GTsSS, an organization which continues to threaten the United States and its allies” and because “we continuously seek to counter their ability to exploit our Nation’s critical networks and systems.” The agencies said that “we are aware that the GTsSS cyber program is a very capable organization that conducts its operations in accordance with GRU mission in the context of the Russian Intelligence Services.”
FBI Assistant Director Matt Gorham said one of the bureau’s priorities in cyberspace “is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information.” He added that “we remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”
The NSA and FBI also released a 45-page cybersecurity advisory report that goes into granular detail about GRU’s Drovorub malware and offers guidance to U.S. companies and agencies on how to protect against the cyberattacks.
“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. Presidential Election as described in the 2017 Intelligence Community Assessment,” the advisory noted.
Aspects of that intelligence assessment on Russian meddling, including any possible politicization or undue pressure by former CIA Director John Brennan, are being scrutinized by U.S. Attorney John Durham in his investigation into the Trump-Russia investigators. National Counterintelligence and Security Center Director Bill Evanina released a statement earlier in August revealing the intelligence community assessed that Russia was attempting to denigrate presumptive 2020 Democratic nominee Joe Biden, while the Chinese Communist Party wants Trump to lose, and Iran is looking to undermine Trump’s presidency.
NSA Cybersecurity Director Anne Neuberger said Thursday that “this Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats” and “by deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action.”
Last month, the U.S., the United Kingdom, and Canada jointly accused Russian intelligence of likely attempting to hack into groups conducting COVID-19 vaccine development in all three countries in an effort to steal their research, blaming the hacking group “APT29,” also known as “the Dukes” or “Cozy Bear,” is “almost certainly part of Russian intelligence services.” APT29 and GRU Unit 26165 are believed to be closely linked.
“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States, and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” the 16-page joint alert by the U.S., U.K., and Canada concluded.
It was reported earlier this year by the New York Times that another related Russian intelligence outfit, GRU Unit 29155, was the group named in disputed intelligence reports related to Russia allegedly offering bounties to Afghan militants and the Taliban to target U.S. and coalition forces. That GRU unit is also believed to be behind the 2018 Novichok nerve agent poisoning of former Russian military officer and British double agent Sergei Skripal and his daughter Yulia in the U.K., along with other international operations. Secretary of State Mike Pompeo said Thursday that he and the Pentagon had warned Russia against carrying out any such bounty plot.
