Russia has been using the Duke malware family to spy on other countries since 2008, says F-Secure

Graham Cluley
Graham Cluley
@[email protected]

DukesThe Russian Federation has been in cahoots with a cyberespionage gang tasked with collecting intelligence from foreign governments and affiliated organisations via “smash-and-grab” hacking attacks designed to steal as much data as possible in the shortest period of time.

That’s the accusation made by Finnish security firm F-Secure, which has today published a detailed report into a hacking group known as “The Dukes”, detailing seven years of targeted attacks against the United States, Europe and Asia.

The Dukes hacking group has at its disposal an arsenal of malware – MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke – designed to open backdoors and exfiltrate data from infected computer systems.

With these tools, says F-Secure, the hacking gang has successfully launched targeted spearphishing campaigns against hundreds of institutions since 2008.

Sign up to our free newsletter.
Security news, advice, and tips.

Specific targets have included the former Georgian Information Center on NATO (now known as the Information Center on NATO and EU), the Ministry of Defense of Georgia, the ministries of foreign affairs in both Turkey and Uganda and other government institutions and political think tanks in the United States, Europe and Central Asia.

So, who might be benefiting from the attacks perpetrated by The Dukes? F-Secure thinks it knows.

The targets and timing of these campaigns appear to align with the known foreign and security policy interests of the Russian Federation at those times.

PutinIn its report, F-Secure’s researchers acknowledge that attribution is always difficult when it comes to hacking attacks, but gives its reasons for linking the attacks to Russia’s intelligence agencies:

In one of their more intriguing cases, the Dukes have appeared to also target entities involved in the trafficking of illegal drugs. Even such targets however appear to be consistent with the overarching theme, given the drug trade’s relevance to security policy. Based on this, we are confident in our conclusion that the Dukes’ primary mission is the collection of intelligence to support foreign and security policy decision-making.

This naturally leads to the question of state-sponsorship. Based on our establishment of the group’s primary mission, we believe the main benefactor (or benefactors) of their work is a government. But are the Dukes a team or a department inside a government agency? An external contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We don’t know.

Patrick Maldre, a junior research fellow with the International Centre for Defence and Security in Estonia, believes that a clearer picture is being drawn of how hackers are supporting the political objectives of Russia, and the country’s intelligence gathering:

“The connections identified in the report have significant international security implications, particularly for states in Eastern Europe and the Caucasus. They shed new light on how heavily Russia has invested in offensive cyber capabilities and demonstrate that those capabilities have become an important component in advancing its strategic interests.”

Whether you think F-Secure presents a water-tight case for Russian intelligence agency involvement or not in the Duke family of malware, it’s certainly a fascinating report. You can read more about it on the F-Secure blog, and download the full report if you’re interested..

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Russia has been using the Duke malware family to spy on other countries since 2008, says F-Secure”

  1. AlainCo (@alain_co)

    There is a war of disinformation to attribute hacking attack to your own enemies.

    this French article explain well how, given the anonimity of attackers, when you are victime, you can attack your prefered target by attributing them responsibility

    "On the occasion of the release of Winning cyber where with FB. Huyghe and O. Kempf, we wondered – among others – on the claim, concealment, alliances and strategic weight cultures in cyberspace, an analysis is required. First the great Anglo-Saxon media as the Financial Times or the Washington Post designate the group as Epic Turla linked to the Russian government, which is careful to Kaspersky's analysis. In fact these media are based on a 2014 German study of G Data Software whose analysis is based on assumptions only technical in the level inferred from the hacker group. De facto any Russian group having a skill level a little bit high thus appears as linked to the intelligence services of Moscow. If it is quite possible on paper, Kaspersky analysis of the countries most affected by the attacks of Epic Turla seem to show otherwise. Thus the company – Russian – antivirus attacks leaves appear mainly focused on Russia, France, Belarus, the United States and Kazakhstan. For a sensibly linked to Russian Government group, it is pretty amazing Epic Turla tackles priority to his own country and economic and military allies of the latter, especially Epic Turla is primarily state and large targets companies …

    As in the field of economy, the designation of an enemy in cyberspace fine rules Schmitt. The evasive and concealed cyberagressions character allows complex geopolitical games before, during, but also – and especially – after the actual attack. The designation of the enemy has become a form of response in itself which, depending on the opportunities of the moment, to indict particular with ultimately fairly limited impact. This reminds us once again that cyberspace, it is undeniably a strategic space technology, is also the one where the action on perceptions is most important."

    Those attribution are at least dubious, if not simply meaningless.
    Today, all is sourced to Putin or Daesh (remember, the targets that Sonygate revealed, when Sony was asked to make movies to attack them) , and only if another neither Putin nor Daesh target is named, does it bring information.

    WMD told us that even the total lack of credible data is not a reason to stop claiming something.

    PS: guess why I have great experience of media consensus beliefs based on no evidence 8)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.