Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Early Toolsets Used by “Dukes” Attackers Suggest Russian Roots

A new report published last week by F-Secure details the activities of the threat group behind the notorious Duke malware family, and points to the numerous clues suggesting that the actor is sponsored by the Russian government.

A new report published last week by F-Secure details the activities of the threat group behind the notorious Duke malware family, and points to the numerous clues suggesting that the actor is sponsored by the Russian government.

Espionage operations involving threats such as CosmicDuke, MiniDuke, OnionDuke, CozyDuke (CozyBear/CozyCar), SeaDuke and CloudDuke have been analyzed by several security firms over the past years.

Researchers believe the advanced persistent threat (APT) actor behind these threats, dubbed “the Dukes” and APT29, has been active since at least 2008. The group has mainly focused on Western government institutions, political think tanks, government contractors, and other organizations that possess information related to foreign and security policy decisions.

Kaspersky Lab was the first security firm to report finding a malware of the Duke family when they revealed the existence of MiniDuke back in 2013. However, according to F-Secure, the first malware toolset used by the Dukes appears to be PinchDuke, which had been leveraged in various campaigns between November 2008 and the spring of 2010.

PinchDuke, which consisted of loaders and a Trojan designed for data theft, was first used to target organizations in Georgia, Turkey, Uganda, and the United States. One of the clues suggesting that the threat was developed by Russian speakers is an error message written in Russian found in many of the PinchDuke samples.

Another early version of Duke malware was GeminiDuke, for which experts discovered a sample compiled in January 2009. The GeminiDuke toolset was mainly designed for collecting information on the infected computer’s configuration.

The timezone of the timestamps in the GeminiDuke samples analyzed by F-Secure was UTC+3 for samples compiled during winter and UTC+4 for samples compiled during summer. These time zones correspond to Moscow Standard Time (MST) before Russia decided to stop following Daylight Savings Time in 2011. The samples compiled after 2011 still follow the same pattern, but experts believe the malware developers simply failed to update the computer they were using to compile GeminiDuke.

Advertisement. Scroll to continue reading.

The most recent versions of Duke malware toolsets are SeaDuke, first used in October 2014, HammerDuke (HAMMERTOSS), first spotted in January 2015, and CloudDuke (MiniDionis/CloudLock), observed since June 2015.

Ever since the first Duke malware samples were discovered, security firms attributed the threats to Russian-speaking actors. In January 2015, F-Secure stated that a Russian government agency was likely behind the attacks. FireEye reached the same conclusion in July when it published a detailed report on the HAMMERTOSS backdoor.

F-Secure believes that the Duke attacks are Russian state-sponsored operations based on the attackers’ apparent motivations and objectives. First of all, experts say all targets possessed foreign and security policy information that could be highly valuable to Russia.

Furthermore, at one point, CosmicDuke had been used to target individuals involved in trafficking illegal substances. Since such victims were spotted only in Russia, researchers believe the country’s law enforcement agencies might have used CosmicDuke as legal spyware.

The times of day in which the malware was compiled and the presence of Russian artefacts in discovered samples simply point to actors located in Russia. However, the considerable financial support and the fact that they are very well organized suggests that the threat group is backed by a government, F-Secure said.

“Based on the length of the Dukes’ activity, our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing, we believe the group to have significant and most critically, stable financial backing. The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller, more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes,” F-Secure explained in its report on the Dukes. “We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets.”

Despite the fact that their operations and tools have been exposed and analyzed by the IT security community, the Dukes don’t seem to be discouraged.

“This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught,” F-Secure said. “We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.