New, stealthy, first-of-its-kind malware used by Fancy Bear to target governments, ESET discovers

Next story

ESET announced today that a new cyberattack campaign is underway via the infamous hacking group commonly referred to in the US as Fancy Bear (and aka Sednit as ESET calls the group). It is the first malware observed to successfully infect the firmware component of a device called UEFI (which was formerly known as BIOS), a core and critical component of a computer.

The malware dubbed “LoJax” by ESET researchers is the first-ever-in-the-wild UEFI rootkit detected in a cyberattack that establishes a presence on a victim’s computers. The LoJax rootkit was part of a campaign run by Fancy Bear against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind.

“Although we were aware in theory that UEFI rootkits existed, our discovery confirms that they are used by an active advanced persistent threatgroup,” said Jean-Ian Boutin, the ESET senior security researcher who led the LoJax research. “These attacks targeting the UEFI are a real threat, and anyone in the crosshairs of Sednit [Fancy Bear] should be watching their networks and devices very closely.”

UEFI rootkits are extremely dangerous formidable tools used, we now know, to launch successful cyberattacks. They serve as a key to the whole computer, are hard to detect and are able to survive even such intense cybersecurity measures as reinstalling the operating system or replacing the hard disk. Moreover, even cleaning a system that was infected with a UEFI rootkit requires knowledge well beyond the reach of a typical user, such as flashing the firmware.

Fancy Bear is one of the most active APT groups and has been operating since at least 2004. The Democratic National Committee hack that occurred during the 2016 presidential elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Fancy Bear.

This group has in its arsenal a diversified set of malware tools, several examples of which ESET researchers have documented in their technical white paper, as well as in numerous blog posts on WeLiveSecurity.

The discovery of this first-ever in-the-wild UEFI rootkit serves as a wake-up call for those organizations and users who tend to ignore the risks connected with firmware modifications.

“Now, there is no excuse for excluding firmware from regular scanning,” said Boutin. “Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to full control of a computer by the attacker, with nearly total persistence.”

ESET is the only major provider of endpoint security solutions to offer a dedicated layer of protection, “ESET UEFI Scanner,” designed to detect malicious components in a PC’s firmware. The UEFI Scanner is included in all of ESET’s latest consumer and business Windows products.

“Thanks to the ESET UEFI Scanner, both our consumer and business customers are in a good position to spot such attacks and defend themselves against them,” noted Juraj Malcho, chief technology officer at ESET.

ESET’s analysis of the Fancy Bear (or “Sednit,” as ESET references the group in technical documents) campaign that uses the first-ever in-the-wild UEFI rootkit is described in detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedIn, Facebook and Twitter.


Media Contact:

Veronica Bart, Veritas Communications 647-330-5724