The Daily Beast reports Fancy Bear, hackers controlled by the Russian Military Intelligence (GRU), has developed a new cyberweapon designed to survive the normal process one would use to clean an infected system.
The malware, uncovered by the European security company ESET, works by rewriting the code flashed into a computer’s UEFI chip, a small slab of silicon on the motherboard that controls the boot and reboot process. Its apparent purpose is to maintain access to a high-value target in the event the operating system gets reinstalled or the hard drive replaced—changes that would normally kick out an intruder.
(...)
U.S. intelligence agencies have identified Fancy Bear as two units within Russia’s military intelligence directorate, the GRU, and last July Robert Mueller indicted 12 GRU officers for Fancy Bear’s U.S. election interference hacking.
The advanced malware shows the Kremlin’s continued investment in the hacking operation that staged some of the era’s most notorious intrusions, including the 2016 Democratic National Committee hack ...
(...)
“There’s been no deterrence to Russian hacking,” said former FBI counterterrorism agent Clint Watts, a research fellow at the Foreign Policy Research Institute. “And as long as there’s no deterrence, they’re not going to stop, and they’re going to get more and more sophisticated.”
As sophisticated as it is, Russia’s new malware works only on PCs with security weaknesses in the existing UEFI configuration. It also isn’t the first code to hide in the UEFI chip. Security researchers have demonstrated the vulnerability with proof-of-concept code in the past, and a 2015 leak showed that commercial spyware manufacturer Hacking Team offered UEFI persistence as an option in one of their products. There’s even evidence that Fancy Bear borrowed snippets of Hacking Team’s code, ESET said.
(...)
“The GRU is following a developmental model that’s very sophisticated,” said Watts. “They have programmers who seem to be top-notch and they appear to rapidly deploy their cyberweapons not long after they develop them.”
The ESET researchers said the new malware should be taken as a warning ...
Fancy Bear, the Russian Election Hackers, Have a Nasty New Weapon (Daily Beast)