Early Toolsets Used by “Dukes” Attackers Suggest Russian Roots

A new report published last week by F-Secure details the activities of the threat group behind the notorious Duke malware family, and points to the numerous clues suggesting that the actor is sponsored by the Russian government.

Espionage operations involving threats such as CosmicDuke, MiniDuke, OnionDuke, CozyDuke (CozyBear/CozyCar), SeaDuke and CloudDuke have been analyzed by several security firms over the past years.

Researchers believe the advanced persistent threat (APT) actor behind these threats, dubbed “the Dukes” and APT29, has been active since at least 2008. The group has mainly focused on Western government institutions, political think tanks, government contractors, and other organizations that possess information related to foreign and security policy decisions.

Kaspersky Lab was the first security firm to report finding a malware of the Duke family when they revealed the existence of MiniDuke back in 2013. However, according to F-Secure, the first malware toolset used by the Dukes appears to be PinchDuke, which had been leveraged in various campaigns between November 2008 and the spring of 2010.

PinchDuke, which consisted of loaders and a Trojan designed for data theft, was first used to target organizations in Georgia, Turkey, Uganda, and the United States. One of the clues suggesting that the threat was developed by Russian speakers is an error message written in Russian found in many of the PinchDuke samples.

Another early version of Duke malware was GeminiDuke, for which experts discovered a sample compiled in January 2009. The GeminiDuke toolset was mainly designed for collecting information on the infected computer’s configuration.

The timezone of the timestamps in the GeminiDuke samples analyzed by F-Secure was UTC+3 for samples compiled during winter and UTC+4 for samples compiled during summer. These time zones correspond to Moscow Standard Time (MST) before Russia decided to stop following Daylight Savings Time in 2011. The samples compiled after 2011 still follow the same pattern, but experts believe the malware developers simply failed to update the computer they were using to compile GeminiDuke.

The most recent versions of Duke malware toolsets are SeaDuke, first used in October 2014, HammerDuke (HAMMERTOSS), first spotted in January 2015, and CloudDuke (MiniDionis/CloudLock), observed since June 2015.

Ever since the first Duke malware samples were discovered, security firms attributed the threats to Russian-speaking actors. In January 2015, F-Secure stated that a Russian government agency was likely behind the attacks. FireEye reached the same conclusion in July when it published a detailed report on the HAMMERTOSS backdoor.

F-Secure believes that the Duke attacks are Russian state-sponsored operations based on the attackers’ apparent motivations and objectives. First of all, experts say all targets possessed foreign and security policy information that could be highly valuable to Russia.

Furthermore, at one point, CosmicDuke had been used to target individuals involved in trafficking illegal substances. Since such victims were spotted only in Russia, researchers believe the country’s law enforcement agencies might have used CosmicDuke as legal spyware.

The times of day in which the malware was compiled and the presence of Russian artefacts in discovered samples simply point to actors located in Russia. However, the considerable financial support and the fact that they are very well organized suggests that the threat group is backed by a government, F-Secure said.

“Based on the length of the Dukes’ activity, our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing, we believe the group to have significant and most critically, stable financial backing. The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller, more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes,” F-Secure explained in its report on the Dukes. “We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets.”

Despite the fact that their operations and tools have been exposed and analyzed by the IT security community, the Dukes don’t seem to be discouraged.

“This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught,” F-Secure said. “We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party.”