The DUKES APT – 7 years of Russian state sponsored hacking

F-Secure has published an interesting report on the cyber espionage operations conducted by the Dukes APT group, which appears linked to the Kremlin.

Security researchers at F-Secure have published an interesting report detailing the cyber espionage operation of a Russian APT group, dubbed the Dukes, the experts speculate the group is backed by the Russian government. The Dukes group has been active since at least 2008  targeted governments, political think tanks and many other organizations, including criminal organizations operating in the Russian Federation.

The hacking crew is very sophisticated, its operations leveraged on “zero-day” exploits developed by its members.

“The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.” states the executive summary of the report.  “The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,” “Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

The Dukes group is responsible of a large number of high-sophisticated campaigns, security experts have detected an impressive amount of malware toolsets in their arsenal, which include MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke.

The first known targets of the Dukes were associated with the Chechen separatist movement, the hackers used PinchDuke malware to compromise the victims’ systems, but a few months later in 2009, experts collected evidence of the involvement of the Dukes in cyber attacks against the Western governments and organizations.

The researchers at F-Secure have collected many evidence that suggest the Russian origin of The Dukes group, the level of sophistication of their malware and the nature of the targets suggests the involvement of the Russian Government. All the targeted organizations manage information of interest for the Russian government, in April 2014 researchers at F-Secure analyzed a number of documents referring political issues like the crisis in the Ukraine or NATO informative in the attempt to circumvent the victims. F-Secure reported, for example, the existence of a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine.

 

The source code analyzed by F-Secure contains a number of Russian-language artifacts, in one case the researchers found also an error message that support the attribution. The GeminiDuke also used timestamps that were set at the Moscow Standard time.

In the PinchDuke malware the hackers discovered the following message:

“Ошибка названия модуля! Название секции данных должно быть 4 байта!”  (which translates essentially as “Error in the name of the module! Title data section must be at least 4 bytes!”).

“the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught. We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party” states the report published by F-Secure.

The experts at F-Secure seems to have no doubt about the abilities of The Dukes group and their well-coordinated organization that benefits of  financial resources out of the ordinary.

“We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets.”

Give a look to the report “THE DUKES 7 years of Russian cyberespionage” I have found it really amazing and full of precious information.

Pierluigi Paganini

(Security Affairs – The Dukes APT, cyber espionage)