The Russian Federation has been in cahoots with a cyberespionage gang tasked with collecting intelligence from foreign governments and affiliated organisations via “smash-and-grab” hacking attacks designed to steal as much data as possible in the shortest period of time.
That’s the accusation made by Finnish security firm F-Secure, which has today published a detailed report into a hacking group known as “The Dukes”, detailing seven years of targeted attacks against the United States, Europe and Asia.
The Dukes hacking group has at its disposal an arsenal of malware - MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke - designed to open backdoors and exfiltrate data from infected computer systems.
With these tools, says F-Secure, the hacking gang has successfully launched targeted spearphishing campaigns against hundreds of institutions since 2008.
Specific targets have included the former Georgian Information Center on NATO (now known as the Information Center on NATO and EU), the Ministry of Defense of Georgia, the ministries of foreign affairs in both Turkey and Uganda and other government institutions and political think tanks in the United States, Europe and Central Asia.
So, who might be benefiting from the attacks perpetrated by The Dukes? F-Secure thinks it knows.
The targets and timing of these campaigns appear to align with the known foreign and security policy interests of the Russian Federation at those times.
In its report, F-Secure’s researchers acknowledge that attribution is always difficult when it comes to hacking attacks, but gives its reasons for linking the attacks to Russia’s intelligence agencies:
In one of their more intriguing cases, the Dukes have appeared to also target entities involved in the trafficking of illegal drugs. Even such targets however appear to be consistent with the overarching theme, given the drug trade’s relevance to security policy. Based on this, we are confident in our conclusion that the Dukes’ primary mission is the collection of intelligence to support foreign and security policy decision-making.
This naturally leads to the question of state-sponsorship. Based on our establishment of the group’s primary mission, we believe the main benefactor (or benefactors) of their work is a government. But are the Dukes a team or a department inside a government agency? An external contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We don’t know.
Patrick Maldre, a junior research fellow with the International Centre for Defence and Security in Estonia, believes that a clearer picture is being drawn of how hackers are supporting the political objectives of Russia, and the country’s intelligence gathering:
“The connections identified in the report have significant international security implications, particularly for states in Eastern Europe and the Caucasus. They shed new light on how heavily Russia has invested in offensive cyber capabilities and demonstrate that those capabilities have become an important component in advancing its strategic interests.”
Whether you think F-Secure presents a water-tight case for Russian intelligence agency involvement or not in the Duke family of malware, it’s certainly a fascinating report. You can read more about it on the F-Secure blog, and download the full report if you’re interested..