- The Washington Times - Thursday, September 17, 2015

Cyberespionage attacks waged against U.S. and Western targets since at least 2008 have now been attributed by security researchers to hackers believed to be backed by the Russian government.

A white paper published Thursday by Finnish security firm F-Secure concluded that the Kremlin is likely behind a persistent campaign of sophisticated cyberattacks that has set its sights on government organizations and groups the world over, including at least one unnamed American think tank and targets in Poland and Ukraine.

The hackers, dubbed “the Dukes” by F-Secure, have been using a family of custom-made malware to infect computer and exfiltrate sensitive information that the firm believes has been made possible by Moscow.

“The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests. These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed and what the objectives were. And all the signs point back to Russian state-sponsorship,” said Artturi Lehtiö, a researcher with F-Secure who led the firm’s investigation into the group.

Hackers often rely on the likes of obfuscation and encryption to make attributing cyberattacks as difficult for researchers as possible. On the heels of an earlier report that indicated Kremlin influence, however, F-Secure now says all of the available evidence suggests the group operates “on behalf of the Russian Federation.”

“Further, we are currently unaware of any evidence disproving this theory,” the researchers said in the report.

The firm’s findings come amid reports that officials in Washington are considering sanctions against Russia and China for a wave of cybercrimes waged against American targets.

According to F-Secure, since 2008 the Dukes have used malware variants to infect the computers of possibly thousands of individuals involved with places where discussions are dominated by foreign policy or security matters of interest to Russia: ministries of foreign affairs, embassies, senates, parliaments, ministries of defense and defense contractors, among others.

Specifically, the victims of the attacks referenced by the firm include the former Georgian Information Center on NATO, now called the Information Center on NATO and EU, as well as government offices across Europe and Africa, the researchers said. Political think tanks in the U.S., Europe and Canada were targeted as well, along with Russian-speaking individuals alleged to have been involved in drug trafficking.

The researchers said that the length of the Dukes’ activity and the ongoing nature of the attacks, spotted as recently as July 2015, suggests stable financial backing. From there, the firm hypothesized the involvement of a nation-state given that the campaigns have continued even after security vendors spotted their attacks and alerted targets.

This behavior, F-Secure said, suggests that “the Dukes’ primary mission to be so valuable to their benefactors that its continuation outweighs everything else.”

The attacks themselves begin with spear-phishing, a tactic in which hackers narrow in on individuals who are involved with a specific group or entity that they want to infiltrate. The targets are usually sent emails or other online messages penned to look legitimate, even enticing, but in actuality are embedded with malware that’s intended to be surreptitiously installed on their computers.

“These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering,” the report reads.

That toolset includes malware variants that F-Secure has named MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke and GeminiDuke — iterations of the same malware that’s used to remotely break into computers, steal information and relay that data back.

In some cases, the malware was delivered through a link purported to contain a video of Super Bowl commercial involving a monkey in an office; in others, computers were infected with malicious Word documents and PDFs. Anton Cherepanov, a Slovakian Malware researcher, said in other instances the payloads were hidden inside software that’s used to make fake Russian passports.

F-Secure acknowledged that researchers have previously reported on variants of the malware. This time, however, Mr. Lehtiö identified two new variants which helped establish connections between the Dukes and nearly a decade of attacks.

“The connections identified in the report have significant international security implications, particularly for states in Eastern Europe and the Caucasus,” said Patrik Maldre, a junior research fellow with the International Center for Defense and Security. “They shed new light on how heavily Russia has invested in offensive cyber capabilities, and demonstrate that those capabilities have become an important component in advancing its strategic interests.”

“By linking together seven years of individual attacks against Georgia, Europe and the United States, the report confirms the need for current and prospective NATO members to strengthen collective security by increasing cyber cooperation in order to avoid becoming victims of Russian information warfare, espionage and subterfuge,” he said.

More than 90 percent of major data breaches during the last few years were made possible by spear-phishing, American intelligence officials said earlier this month.

“It means that our adversaries do not need to use sophisticated techniques to compromise our data, our systems and our people,” said William Evanina, the head of the National Counterintelligence and Security Center. “It’s an email.”

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide