Russian hackers ‘Fancy Bear’ now targeting governments with rootkit malware

Security researchers say that they have found evidence that for the first time Russia-backed hackers are now using a more sophisticated type of malware to target government entities.

ESET presented its case Thursday that the hacker group, known as Fancy Bear (or APT28), is using rootkit malware to target its victims. That marks an escalation in tactics, which the researchers say the group’s hacking capabilities “may be even more dangerous than previously thought.”

Although the researchers would not name the targeted governments, they said that the hackers were active in targeting the Balkans and some central and eastern European countries.

The malware, dubbed LoJax, uses a portion of LoJack, an anti-theft software that has been criticized for its brutal persistence making it challenging to remove — even when a user reinstalls their operating system. Arbor Networks found earlier this year that the LoJack agent now connected to a malicious command and control server operated by the hackers.

LoJax, like other rootkits, embeds in the computer’s firmware and launches when the operating system boots up. Because it sits in a computer’s flash memory, it takes time, effort and extreme care to reflash the memory with new firmware.

According to its investigation, ESET said that the hackers were “successful at least once” in writing a malicious module into a system’s flash memory.

Although attribution is typically difficult, the researchers found that systems hit by LoJax also contained other hacking tools known to used by Fancy Bear, including backdoors and proxy tools used for funneling network traffic to and from the hackers’ servers.

ESET said it could link the malware to earlier network infrastructure used by the hacker group “with high confidence.”

Fancy Bear has been active for more than a decade, but is best known for hacking into the Democratic National Committee and its disinformation and election influencing campaign against the U.S. in the run up to the 2016 presidential election. The hackers have also targeted senators, social media sites, the French presidential elections, and leaked Olympic athletes’ confidential medical files.

The researchers said that there are preventative measures. Because Fancy Bear’s rootkit isn’t properly signed, a computer’s Secure Boot feature could prevent the attack by properly verifying each component in the boot process. That can usually be switched on at a computer’s pre-boot settings.

ESET said that the discovery “serves as a heads-up, especially to all those who might be in the crosshairs of Fancy Bear.”