Russiaâs GRU has secretly developed and deployed new malware thatâs virtually impossible to eradicate, capable of surviving a complete wipe of a target computerâs hard drive, and allows the Kremlinâs hackers to return again and again.
The malware, uncovered by the European security company ESET, works by rewriting the code flashed into a computerâs UEFI chip, a small slab of silicon on the motherboard that controls the boot and reboot process. Its apparent purpose is to maintain access to a high-value target in the event the operating system gets reinstalled or the hard drive replacedâchanges that would normally kick out an intruder.
Itâs proof that the hackers known as Fancy Bear âmay be even more dangerous than previously thought,â company researchers wrote in a blog post. Theyâre set to present a paper on the malware at the Blue Hat security conference Thursday.
U.S. intelligence agencies have identified Fancy Bear as two units within Russiaâs military intelligence directorate, the GRU, and last July Robert Mueller indicted 12 GRU officers for Fancy Bearâs U.S. election interference hacking.
The advanced malware shows the Kremlinâs continued investment in the hacking operation that staged some of the eraâs most notorious intrusions, including the 2016 Democratic National Committee hack. The GRUâs hackers have been active for at least 12 years, breaching NATO, Obamaâs White House, a French television station, the World Anti-Doping Agency, countless NGOs, and military and civilian agencies in Europe, Central Asia, and the Caucasus. Last year, they targeted targeted Democratic Sen. Claire McCaskill, whoâs facing a hotly contested 2018 re-election race.
âThereâs been no deterrence to Russian hacking,â said former FBI counterterrorism agent Clint Watts, a research fellow at the Foreign Policy Research Institute. âAnd as long as thereâs no deterrence, theyâre not going to stop, and theyâre going to get more and more sophisticated.â
As sophisticated as it is, Russiaâs new malware works only on PCs with security weaknesses in the existing UEFI configuration. It also isnât the first code to hide in the UEFI chip. Security researchers have demonstrated the vulnerability with proof-of-concept code in the past, and a 2015 leak showed that commercial spyware manufacturer Hacking Team offered UEFI persistence as an option in one of their products. Thereâs even evidence that Fancy Bear borrowed snippets of Hacking Teamâs code, ESET said.
Last year, a WikiLeaks dump revealed that the CIA used it own malware called âDerStarkeâ to maintain long-term access to hacked MacOS machines using the same technique.
But until now such an attack has never been spotted in the wild on a victim computer.
The first public whiff of Russiaâs new malware emerged last March, when Arbor Networksâ ASERT team reported finding malware designed to look like a component of the theft-recovery app Absolute LoJack.
Absolute LoJack works much like Appleâs Find My iPhone app, allowing laptop owners to attempt to geo-locate a computer after a theft, or to remotely wipe their sensitive files from the missing machine. The hackers copied one piece of the app, a background process that maintains contact with Absolute Softwareâs server, and changed it to report to Fancy Bearâs command-and-control servers instead.
ESET researchers call the malware LoJax. They suspected they were seeing just one piece of a larger puzzle, and started looking for additional LoJax components in Eastern Europe and the Balkans, where LoJax was popping up on hacked machines alongside better-known Fancy Bear implants like Seduploader, X-Agent, and X-Tunnel.
They found a new component of LoJax designed to access technical details of a computerâs UEFI chip, and surmised that Fancy Bear was moving to the motherboard. Eventually they found the proof in another component called âReWriter_binaryâ that actually rewrote vulnerable UEFI chips, replacing the vendor code with Fancy Bearâs code.
Fancy Bearâs UEFI code works as a bodyguard for the the counterfeit LoJack agent. At every reboot, the hacked chip checks to make sure that Windows malware is still present on the hard drive, and if itâs missing, reinstalls it.
The researchers so far have found only one computer with an infected UEFI chip among many with the fake LoJack component, which makes them think the former is only rarely deployed. And by all evidence, the entire project is relatively new.
âThe LoJax campaign started at least in early 2017,â said Jean-Ian Boutin, a senior malware researcher at ESET. â We donât know exactly when the UEFI rootkit was used for the first time, but our first detection came in early 2018.â
âThe GRU is following a developmental model thatâs very sophisticated,â said Watts. âThey have programmers who seem to be top-notch and they appear to rapidly deploy their cyberweapons not long after they develop them.â
The ESET researchers said the new malware should be taken as a warning. âThe LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats,â the researchers wrote. âSuch targets should always be on the lookout for signs of compromise.â
