skip to Main Content

Sednit hackers use for the first time UEFI in cyber attacks against Europe

Russiam cyber spies are targeting government organizations in the Balkans, in Central and Eastern Europe, using LoJax malware and – for the first time – the UEFI rootkit

Russiam cyber spies are targeting government organizations in the Balkans, in Central and Eastern Europe, using different components of the LoJax malware. It has been discovered by Eset cyber security experts. The Sednit group (aka APT28, Fancy Bear, Sofacy, STRONTIUM) used for the first time the Unified Extensible Firmware Interface (UEFI) rootkits for cyber attacks. UEFI are widely viewed as extremely dangerous tools for implementing cyber aggressions, as they are hard to detect and able to survive security measures such as operating system reinstallation (even a hard disk replacement). Some are known to be at the disposal of some governmental agencies. However, “no UEFI rootkit has ever been detected in the wild – the company’s blog reported – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system”.

How the malware campaigns work

On systems targeted by the Russian hackers with the LoJax campaign, Eset found various tools that are able to access and patch UEFI/BIOS settings. All used a kernel driver to access the UEFI/BIOS settings. This driver is bundled with RWEverything, a free utility that can be used to read information on almost all of a computer’s low-level settings. Moreover it’ is signed with a valid code-signing certificate. The cyber security experts found also three different types of tool used in the cyber attacks. The first one dumped information about low level system settings to a text file. The second saved an image of the system firmware to a file, by reading the contents of the SPI flash memory where the UEFI/BIOS is located. The third added a malicious UEFI module to the firmware image and write it back to the SPI flash memory, installing the rootkit on the system.

Eset cyber security experts: These facts allow us to attribute LoJax with high confidence to the Sednit group

Some of the LoJax small agent C&C servers were used in the past by SedUploader, a first-stage backdoor routinely used by Sednit’s operators. Also, in cases of LoJax compromise, traces of other Russia linked hackers tools were never far away. In fact, systems targeted usually also showed signs of these three examples of APT28 malware: SedUploader, a first-stage backdoor; XAgent, Sednit’s flagship backdoor; Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network. These facts allow Eset cyber experts to attribute LoJax with high confidence to the Sednit group.

The Eset post on the UEFI-LoJax malicious campaigns

Back To Top