Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Early Toolsets Used by “Dukes” Attackers Suggest Russian Roots

A new report published last week by F-Secure details the activities of the threat group behind the notorious Duke malware family, and points to the numerous clues suggesting that the actor is sponsored by the Russian government.

A new report published last week by F-Secure details the activities of the threat group behind the notorious Duke malware family, and points to the numerous clues suggesting that the actor is sponsored by the Russian government.

Espionage operations involving threats such as CosmicDuke, MiniDuke, OnionDuke, CozyDuke (CozyBear/CozyCar), SeaDuke and CloudDuke have been analyzed by several security firms over the past years.

Researchers believe the advanced persistent threat (APT) actor behind these threats, dubbed “the Dukes” and APT29, has been active since at least 2008. The group has mainly focused on Western government institutions, political think tanks, government contractors, and other organizations that possess information related to foreign and security policy decisions.

Kaspersky Lab was the first security firm to report finding a malware of the Duke family when they revealed the existence of MiniDuke back in 2013. However, according to F-Secure, the first malware toolset used by the Dukes appears to be PinchDuke, which had been leveraged in various campaigns between November 2008 and the spring of 2010.

PinchDuke, which consisted of loaders and a Trojan designed for data theft, was first used to target organizations in Georgia, Turkey, Uganda, and the United States. One of the clues suggesting that the threat was developed by Russian speakers is an error message written in Russian found in many of the PinchDuke samples.

Another early version of Duke malware was GeminiDuke, for which experts discovered a sample compiled in January 2009. The GeminiDuke toolset was mainly designed for collecting information on the infected computer’s configuration.

The timezone of the timestamps in the GeminiDuke samples analyzed by F-Secure was UTC+3 for samples compiled during winter and UTC+4 for samples compiled during summer. These time zones correspond to Moscow Standard Time (MST) before Russia decided to stop following Daylight Savings Time in 2011. The samples compiled after 2011 still follow the same pattern, but experts believe the malware developers simply failed to update the computer they were using to compile GeminiDuke.

The most recent versions of Duke malware toolsets are SeaDuke, first used in October 2014, HammerDuke (HAMMERTOSS), first spotted in January 2015, and CloudDuke (MiniDionis/CloudLock), observed since June 2015.

Advertisement. Scroll to continue reading.

Ever since the first Duke malware samples were discovered, security firms attributed the threats to Russian-speaking actors. In January 2015, F-Secure stated that a Russian government agency was likely behind the attacks. FireEye reached the same conclusion in July when it published a detailed report on the HAMMERTOSS backdoor.

F-Secure believes that the Duke attacks are Russian state-sponsored operations based on the attackers’ apparent motivations and objectives. First of all, experts say all targets possessed foreign and security policy information that could be highly valuable to Russia.

Furthermore, at one point, CosmicDuke had been used to target individuals involved in trafficking illegal substances. Since such victims were spotted only in Russia, researchers believe the country’s law enforcement agencies might have used CosmicDuke as legal spyware.

The times of day in which the malware was compiled and the presence of Russian artefacts in discovered samples simply point to actors located in Russia. However, the considerable financial support and the fact that they are very well organized suggests that the threat group is backed by a government, F-Secure said.

“Based on the length of the Dukes’ activity, our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing, we believe the group to have significant and most critically, stable financial backing. The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller, more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes,” F-Secure explained in its report on the Dukes. “We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets.”

Despite the fact that their operations and tools have been exposed and analyzed by the IT security community, the Dukes don’t seem to be discouraged.

“This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught,” F-Secure said. “We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.