APT28: First Group to Embed Rootkit in UEFI
The first instance of a Unified Extensible Firmware Interface (UEFI) rootkit in the wild has been attributed to the Russian cyber-espionage group APT28, also known as Fancy Bear, Sofacy, Strontium, or Sednit. The rootkit, dubbed LoJax, is designed to install malware directly into the Windows operating system and ensure it is executed upon startup. This technique allows threat actors to maintain persistence on affected machines, despite hard drive replacements and operating system reinstallations. According to ESET, attacks related to this campaign have been observed against high-value targets in Central and Eastern Europe. To defend against LoJax, users are advised to enable the Secure Boot mechanism and make sure motherboards have the latest firmware version from the manufacturer. The NJCCIC recommends entities that may be considered high-value targets for APT28 operations review the ESET report for more information on recent campaigns, including tactics, techniques, and procedures (TTPs), and associated indicators of compromise (IOCs). Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities.