Russian government implicated in cyber-spying campaign by Dukes hacking group

Seven-year malware operation likely to be Russian-state sponsored according to F-Secure

Criminals get hold of 'Russian state malware'
Criminals get hold of 'Russian state malware'

F-Secure Labs has warned that group of hackers known as “The Dukes” is said to be operating out of Russia, apparently with the blessing of the government there.

In a report, the Finnish infosec firm said that the Dukes have used a novel new set of malware tools to break into networks and steal confidential information from victims. The report claimed that the group had been supporting efforts by the Russian to gather intelligence for at least the last seven years.

The Dukes started with malware called PinchDuke, which had multiple loaders and an information-stealer Trojan. It also had tools with names such as CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, and GeminiDuke. MiniDuke was its backdoor tool.

“PinchDuke trojan samples always contain a notable text string, which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel,” claimed F-Secure.

“These campaigns involve a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible,” F-Secure said.

“If the compromised target is discovered to be of value, The Dukes will quickly switch the toolset used and move to stealthier tactics focused on persistent compromise and long-term intelligence gathering.”

Among the victims of the operation have been government bodies and political think tanks in the US, Europe and Central Asia, as well as a Georgian Nato branch and Uganda's Ministry of Foreign Affairs.

“The Dukes are a well-resourced, highly dedicated and organised cyber-espionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision making,” the report said.

Artturi Lethio, the F-Secure researcher leading the investigation, claimed the firm's investigations led to a Kremlin-backed campaign.

"The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests," Lethio said. "These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed and what the objectives were. And all the signs point back to Russian state-sponsorship."

It was a couple of new variants of malware found by the researchers that allowed the researchers to connect The Dukes to the attacks.

"The connections identified in the report have significant international security implications, particularly for states in Eastern Europe and the Caucasus," said Patrik Maldre, a junior research fellow with the International Centre of Defence and Security in Estonia. "They shed new light on how heavily Russia has invested in offensive cyber-capabilities and demonstrate that those capabilities have become an important component in advancing its strategic interests."

The report said that professional developers were behind the Dukes and by looking at the times when the hackers were operational as well as the Russian government not being targeted by the group, F-Secure said that it believed, “with a high level of confidence, that the Dukes toolsets are the product of a single, large, well-resourced organisation (which we identify as the Dukes) that provides the Russian government with intelligence on foreign and security policy matters in exchange for support and protection.”

TK Keanini, CTO at Lancope, told SCMagazineUK.com that for some time now, most nation states have been ready with their cyber capabilities and, if they are not, they are planning and making investments to attain the capabilities.

“Malware and these techniques are force multipliers to the tradecraft of spies and nation states. In this connected world, our personal and work life are all reachable from anywhere in the world, this includes the bad guys,” he said.

Steve Ward, senior director at iSIGHT Partners, told SC that activity dubbed "the Dukes" “represents two Russian-based espionage operations we track as TEMP.Monkey and TEMP.Noble”.

“Strong similarities observed between malware and command and control mechanisms lead us to believe parallels exist between TEMP.Monkey and TEMP.Noble, and we are currently investigating the extent of the relationship between these two groups,” said Ward.

“We suspect they are the same group of actors or, at a minimum, share toolsets. Collectively, the two operations represent a threat to governments and associated defence sectors across the US and Central and Eastern Europe.”