FBI Sabotages Malicious Software Used by Russian Spies
The Federal Bureau of Investigation (FBI) brought down a malicious software (malware) command-and-control (C2) server that was used by Russian spies to connect to the infected computers of American companies and government agencies. The malware was called “Drovorub” by the FBI. According to the FBI, Drovorub is malware of Russian origin and is used by the Russian Foreign Intelligence Service (SVR). The SVR is responsible for foreign intelligence gathering for the Russian government.
Drovorub gave the Russian spies backdoors into the infected systems. The Drovorub malware could also steal login credentials, files, and data from the targeted systems, and it could also install additional malware onto the systems. The FBI got permission from a US court to take control of the C2 server, which meant that the Russian spies could no longer use it to connect to infected systems.
The FBI then deployed what is known as an “Administrative Takedown.” Administrative takedowns are used when the government wants to take down a website or server without physically removing it. Instead, authorities can disrupt traffic to the server or replace the server’s code with their own. In this instance, the FBI replaced the C2 server’s code with a beacon that signaled home for victim information. With the removal of the C2 server, the FBI effectively neutered Drovorub.
The FBI says that Drovorub is highly sophisticated malware and is tough to detect and remove. However, the arrest of the malware’s alleged author, Yevgeniy Aleksandrovich Nikulin, in Prague in 2016 eventually led to the discovery of the C2 server and the takedown of Drovorub. Nikulin has not yet been extradited to the US for prosecution.
The FBI has expressed concern that the Russian government may use Drovorub again, or that others may use the malware now that it is available for others to edit and use for their purposes.
The FBI and cybersecurity experts have warned that the Russian government has been actively engaged in cyberattacks against the US, with the aim of stealing sensitive information from government and commercial systems. The US government has been trying to counter these attacks, but so far, it has been difficult to deter the Russian government from continuing these attacks.
As America enters into the next phase of the election cycle with the upcoming presidential election, the risk of foreign interference is high. The FBI and the Department of Homeland Security have said that foreign actors have already begun their attacks on the US election infrastructure. The FBI has urged all Americans to be vigilant and report any suspicious activity to the authorities.
Conclusion
The FBI’s takedown of the Drovorub C2 server will no doubt be seen as a significant win in the ongoing conflict between the US and Russia in cyber space. However, the fact that the Russian hackers were able to successfully infiltrate US government and commercial systems in the first place shows how much work is still to be done to secure America’s cyber infrastructure. The threat to America’s security is real, and the government must continue to work hard to keep us safe.