September 27,
2018
If Putin’s new
malware hits you, don’t bother wiping your hard drive. Just throw out your computer.
Russia’s GRU has
secretly developed and deployed new malware that’s virtually impossible to
eradicate, capable of surviving a complete wipe of a target computer’s hard
drive, and allows the Kremlin’s hackers to return again and again.
The malware,
uncovered by the European security company ESET, works by rewriting the code
flashed into a computer’s UEFI chip, a small slab of silicon on the motherboard
that controls the boot and reboot process. Its apparent purpose is to maintain
access to a high-value target in the event the operating system gets
reinstalled or the hard drive replaced—changes that would normally kick out an
intruder.
It’s proof that
the hackers known as Fancy Bear “may be even more dangerous than previously
thought,” company researchers wrote in a blog post. They’re set to present a
paper on the malware at the Blue Hat security conference Thursday.
U.S. intelligence
agencies have identified Fancy Bear as two units within Russia’s military
intelligence directorate, the GRU, and last July Robert Mueller indicted 12 GRU
officers for Fancy Bear’s U.S. election
interference hacking.
The advanced
malware shows the Kremlin’s continued investment in the hacking operation that
staged some of the era’s most notorious intrusions, including the 2016
Democratic National Committee hack. The GRU’s hackers have been active for at
least 12 years, breaching NATO, Obama’s White House, a French television
station, the World Anti-Doping Agency, countless NGOs, and military and civilian
agencies in Europe, Central Asia, and the Caucasus. Last year, they targeted Democratic
Sen. Claire McCaskill, who’s facing a hotly contested 2018 re-election race.
“There’s been no
deterrence to Russian hacking,” said former FBI counterterrorism agent Clint
Watts, a research fellow at the Foreign Policy Research Institute. “And as long
as there’s no deterrence, they’re not going to stop, and they’re going to get
more and more sophisticated.”
As sophisticated
as it is, Russia’s new malware works only on PCs with security weaknesses in
the existing UEFI configuration. It also isn’t the first code to hide in the
UEFI chip. Security researchers have demonstrated the vulnerability with
proof-of-concept code in the past, and a 2015 leak showed that commercial
spyware manufacturer Hacking Team offered UEFI
persistence as an option in one of their products. There’s even evidence that
Fancy Bear borrowed snippets of Hacking Team’s code, ESET said.
Last year, a WikiLeaks dump revealed that the CIA
used it own malware called “DerStarke” to maintain long-term access to hacked
MacOS machines using the same technique.
But until now
such an attack has never been spotted in the wild on a victim computer.
The first public
whiff of Russia’s new malware emerged last March, when Arbor Networks’ ASERT
team reported finding malware designed to look like
a component of the theft-recovery app Absolute LoJack.
Absolute LoJack
works much like Apple’s Find My iPhone app, allowing laptop owners to attempt
to geo-locate a computer after a theft, or to remotely wipe their sensitive
files from the missing machine. The hackers copied one piece of the app, a
background process that maintains contact with Absolute Software’s server, and
changed it to report to Fancy Bear’s command-and-control servers instead.
ESET researchers
call the malware LoJax. They suspected they were seeing just one piece of a
larger puzzle, and started looking for additional LoJax components in Eastern
Europe and the Balkans, where LoJax was popping up on hacked machines alongside
better-known Fancy Bear implants like Seduploader, X-Agent, and X-Tunnel.
They found a new
component of LoJax designed to access technical details of a computer’s UEFI
chip, and surmised that Fancy Bear was moving to the motherboard. Eventually
they found the proof in another component called “ReWriter_binary” that
actually rewrote vulnerable UEFI chips, replacing the vendor code with Fancy
Bear’s code.
Fancy Bear’s UEFI
code works as a bodyguard for the the counterfeit LoJack agent. At every
reboot, the hacked chip checks to make sure that Windows malware is still
present on the hard drive, and if it’s missing, reinstalls it.
The researchers
so far have found only one computer with an infected UEFI chip among many with
the fake LoJack component, which makes them think the former is only rarely
deployed. And by all evidence, the entire project is relatively new.
“The LoJax
campaign started at least in early 2017,” said Jean-Ian Boutin, a senior
malware researcher at ESET. “ We don’t know exactly when the UEFI rootkit was
used for the first time, but our first detection came in early 2018.”
“The GRU is
following a developmental model that’s very sophisticated,” said Watts. “They
have programmers who seem to be top-notch and they appear to rapidly deploy
their cyberweapons not long after they develop them.”
The ESET
researchers said the new malware should be taken as a warning. “The LoJax
campaign shows that high-value targets are prime candidates for the deployment
of rare, even unique threats,” the researchers wrote. “Such targets should
always be on the lookout for signs of compromise.”
