7 years of malware and espionage heavily linked to Russia — F-Secure

17 Sep 2015

In an amazing piece of work from cybersecurity experts F-Secure, a cyber-espionage group dubbed the Dukes has been linked to seven years worth of Russian spying.

The report details a timeline of attacks attributed to the Dukes, almost following a case-by-case history of Russian political interests since the end of the last decade.

Starting with malware attacking Turkish websites that represent Chechan interests back in 2008, the Dukes’ fingertips move west the following year with attacks on US and NATO interests.

The evolution of tools used by the Dukes – which F-Secure describes as a “well-resourced, highly-dedicated and organised cyber-espionage group” – then brings them to the Caucasus, campaigning against the likes of Kazakhstan, Kyrgyzstan, Azerbaijan and Uzbekistan.

Growing arsenal linked to Russian spying

The arsenal used by the Dukes appears to have evolved very quickly. The starting point, PinchDuke malware, had multiple loaders and an information-stealer trojan.

It utilised tools such as CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, and GeminiDuke, with MiniDuke its landmark backdoor.

The latter is what caught the eye of Kaspersky Labs, leading F-Secure to trawl back through its research to find a true timeline.

“The Dukes primarily target western governments and related organisations, such as government ministries and agencies, political think tanks, and governmental subcontractors,” reads the report.

“Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organisations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

Basically, anybody you consider a target for Russia was included on this list.

Dukes Timeline - Russian spying

The timeline of Duke tools, via F-Secure

F-Secure warns that the Dukes adapt and evolve quite quickly, to hide from view and carry out its often concurrent campaigns.

A good example of this is the organisation’s earliest tools, PinchDuke and GeminiDuke.

“PinchDuke trojan samples always contain a notable text string, which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel,” claimed F-Secure.

However, GeminiDuke, which seems to have come out afterwards, encrypted the string as the group began to hide its traces.

Finally caught out

The Dukes flew under the radar for a long time, only getting caught in early 2013, after FireEye spotted some Adobe Reader vulnerabilities.

Around the same time, Kaspersky Labs noticed something similar being used to spread a malware family, dubbing it MiniDuke.

While usually operating as spear-phishing email campaigns, the Dukes’ versatility seems impressive. OnionDuke, for example, was a malicious Tor exit node.

The links to Russia are far too heavy to ignore, said F-Secure, with the Russian language found in the backend of some of the malware.

“We are unable to conclusively prove responsibility of any specific country for the Dukes,” said the company, which actually notes a drop off in activity in Ukraine once the war with Russia started.

“All of the available evidence, however, does in our opinion suggest that the group operates on behalf of the Russian Federation.”

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic