What Is Drovorub? FBI Expose Latest Russian State-Run Cyber Threat

Federal investigators said Thursday they identified a new kind of computer software Russian hackers are using that poses a real-time threat to government agencies in the U.S.

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) said in a joint press release that the new malware—which the release identified as "Drovorub," meaning "to split wood"—targets the Linux computer operating system which is used by the U.S. Department of Defense, some other federal agencies and American citizens.

Russia's military intelligence is using the malware, the federal investigators said. The specific group using Drovorub is a unit with the Russian General Staff Main Intelligence Directorate's 85th Main Special Service Center (or GRU), which investigators said is most widely known as Fancy Bear.

NSA
An aerial view of the US Cyber Command joint operations center on the NSA campus is seen on May 25, 2020, in Fort Meade, Maryland. According to a joint release published by the NSA and the FBI this week, a new Russian malware program has been identified and could pose a threat to some U.S. government agencies. Brendan Smialowski/AFP via Getty Images

The group's cyber program "uses a wide variety of proprietary and publicly known techniques to target networks and to persist their malware on compromised devices," the agencies said in a Drovorub fact sheet. The investigators said it is possible for Linux software users to identify whether or not Drovorub has impacted their computer systems and encouraged every agency and citizen to make sure their software is updated to prevent successful hacking attempts.

Newsweek reached out to the Department of Defense for comment but did not receive a response in time for publication.

The investigators' full advisory is 45 pages long and includes details on how Drovorub works and how targets can protect against it. The advisory says that Drovorub is able to initiate "direct communications" with the targeted machine, granting the person deploying the malware with capabilities that include uploading and downloading files directly onto the other device.

The advisory did not specify how investigators discovered the malware but said the NSA and FBI were sharing information about Drovorub publicly "to counter the capabilities of the GRU."

The investigators' warnings come four years after the Democratic National Committee was hacked in the months leading up to the 2016 presidential election. Federal investigators later said they found evidence linking that hacking job to Fancy Bear. Two years later, Microsoft said it found additional evidence that the company said supported concerns that Fancy Bear was attempting to impact the results of a U.S. election, this time for the 2018 midterms. The group also allegedly targeted Center for Strategic and International Studies, a think tank based in Washington, D.C., in 2019.

According to an FBI notification that WIRED obtained earlier this year, Fancy Bear also allegedly targeted other U.S. organizations ranging from government to infrastructure groups.