Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

War is not just about tanks, missiles, rifles and other "classic warfare" equipment, known from WW2 and previous armed conflicts.

Today, war is also - if not more - about IT and communication infrastructure. About all these systems, that allow modern society to communicate between each other, or manage the supply chain of military forces. Disrupting such systems, or exfiltrating valuable information from them, can induce much bigger impact on further hostilities, than eg. destroying a few tanks.

Basic facts about IT infrastructure in Russia

Russian IT infrastructure is quite different, than in many countries:

  • all government and official infrastructure is required to be located in Russia, without relying on external cloud providers
  • since 2019, services provided by Amazon Web Services, Microsoft Azure, Google Cloud etc. are completely forbidden for official use
  • of course they use virtualization, just like the rest of IT world - but mostly on local, on-premise infrastructure
  • mostly on VMware vSphere and Hyper-V - or free VMware ESXi in smaller offices and companies

In March 2022, Russian authorities announced that they want to go even further about their "Internet independence" - which is obviously related to their war against Ukraine:

What is Drive Badger

Drive Badger is a platform for data exfiltration – which means, for copying data from someone's computer or mobile device to external USB drive. Mostly in a stealth way, without knowledge or consent of the owner. Invisible to the installed security software: anti-virus, DLP, SIEM, EDR etc.

But Drive Badger is different than forensic tools. It's not focused on securing and documenting evidence. Instead, it's focused around splitting all found data into:

  • valuable data, worth exfiltration
  • worthless data, excluded from exfiltration thanks to over 400 unique exclusion rules

Using this approach, Drive Badger is able to reduce the amount of files to be copied by 95% (typically), and also save a lot of time.

How Drive Badger can help as warfare tool?

Drive Badger can do much more, than just exfiltration. Let's focus on 3 key aspects: support for virtualization servers, filesystem injection and automated key matching for encrypted drives.

Exfiltrating VMware and Hyper-V servers

The problem with exfiltrating virtualization servers is about drive space reservation: they contain several virtual drive image files, where only a small degree of reserved space is occupied by valuable files, while all the rest space:

  • is free - just like in any other computer, but multiplied by the number of virtual machines
  • is occupied by files and directories that would have been skipped by Drive Badger's exclusion rules

Drive Badger can recognize virtual drive image files, mount them just like physical drives, and recursively exfiltrate their contents. This allows quick exfiltration of big, specialized virtualization servers hosted in data centers, with hundreds of virtual machines - which are popular in Russia because of their internal restrictions.

Exfiltrating encrypted drives

Drive encryption is becoming something more and more common in recent years. In 2022, drive encryption is a de facto standard for laptops and mobile devices, securing government and corporate data in case of eg. device theft. However, drive encryption on servers is still something unusual.

Drive Badger supports 4 most important drive encryption schemes:

  • Bitlocker (native encryption method for Windows)
  • LUKS (native encryption method for Linux)
  • Apple FileVault (native encryption method for Mac OS)
  • VeraCrypt (mainly used on Windows, sometimes also on Linux)

Obviously, to exfiltrate data from computer with encrypted drive, you need the encryption key (in most circumstances, either user password, or recovery key). Drive Badger automates storage and management of such keys, and can automatically discover, which keys match particular encrypted drives - but it is up to you to obtain and configure these keys before the attack (eg. buy them from disgruntled IT employee).

Making changes to exfiltrated drives

While Drive Badger's main functionality is data exfiltration, it is also able to make changes to the copied filesystem: create files or directories, write data into them, rename, delete etc. We call this feature "filesystem injection" and it is done by "injectors". See injectors-playground repository for example scripts.

During war, it can be used for:

  • injecting files that may constitute evidence, or discredit chosen people (after finding them "officially" later)
    • including to filesystems encrypted by Bitlocker, VeraCrypt or LUKS
  • injecting keys allowing remote access (eg. to ~/.ssh/authorized_keys for selected users)
  • replacing passwords stored in files like /etc/shadow, .htpasswd or others
  • replacing and falsifying any other data (eg. financial, inventory etc.)
  • injecting all kinds of malicious software:
    • backdoors allowing for remote access in non-standard ways
    • spyware allowing to receive data from the device in the future
    • ransomware or wipers, that can encrypt, wipe or otherwise modify some important data at later stage (long after you finish and get back safely)

Creating Drive Badger devices at scale

In normal circumstances, Drive Badger device can be configured manually, step by step, carefully adjusting its configuration for particular attack. However during war, you may need lots of such devices - eg. to supply the whole military team (so anyone in the team, who will physically reach protected servers, will be able to use one).

You can automate building Drive Badger devices using deployment-scripts repository. Configuring 1 device on fast computer (we suggest Dell Optiplex 7040 Micro - very cheap, while having good performance and 6 USB 3.0 ports) should take no more than 3-4 minutes.

Operator safety in case of getting caught

Drive Badger ensures operator safety by encrypting its persistent partition (the one on your USB drive, to which exfiltrated files are saved). In case of getting caught, there is no way to distinguish between Drive Badger drive, and ordinary Kali Linux Live drive, or to prove the fact of data exfiltration, until someone knows the proper password.

Remember that taking part in hostilities may be legal or not, depending on your legal status (soldier, any kind of "spy", civillian etc.). You are solely responsible for all potential law infringements and/or misfeasances of duties. We just provide an universal tool, like eg. knife.

Legal disclaimer: intention of this product, is not an incitement for a crime. Rather, Drive Badger is mainly intended to be used in countries, where using such tools is legal (because of any reason, including war), or at most, can be a subject to possible disciplinary action between the end user and his/her employer.