The Dukes are here – is your organization a target for state-sponsored spying?

A highly dedicated and organized cyberespionage group targets governments and related organizations

Author: Eija Paajanen
Date: 17.09.2015
Read Time: 6 Minutes


F-Secure Labs has just published a whitepaper exploring the tools used by the Dukes, to collect intelligence in support of foreign and security policy decision-making.

The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that F-Secure Labs believes has been working for the Russian Federation since at least 2008.

Cyber Security Advisor Erka Koivunen explains:

Our Lab’s findings are based on information that has been found by carefully analyzing and correlating the vast archive of malware samples that we have accumulated over the years. The samples have been submitted to us, found from OSINT sources, or shared among the AV industry. The whitepaper presents the temporal and technical enormity of the operation and should be an eye-opener for anyone interested in cyber security.

Erka Koivunen
Erka Koivunen

F-Secure co-operated with the affected organizations while conducting their analysis by informing them of the findings, and of the plans to publish the paper.

The Dukes – how do they work?

The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. It looks like the Dukes have consistently targeted entities that deal with matters relating to foreign policy and security policy.

In recent years, the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with government institutions and affiliated organizations.

The Dukes’ campaigns use a smash-and grab approach that has become quite common and popular these days – a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible. And the efficacy of this approach is nothing less than remarkable.

In the case of one interesting target, the toolset was seen to switch to stealthier tactics that focus on establishing a more persistent foothold to support sustained intelligence gathering. The Dukes also engage in smaller, more targeted campaigns.

The Dukes rapidly react to research being published about their toolsets and operations. However, they will not cease operations while they modify their tools, but will choose to modify their tools incrementally, thus exposing themselves to being discovered.

In some of the most extreme cases, the Dukes have been known to engage in campaigns with unaltered versions of tools that only days earlier have been brought to the public’s attention by security companies and actively mentioned in the media. Bold moves like this show that operators behind the Dukes have extreme confidence in their ability to continue exploiting their targets even when the tools have been publicly exposed. Whether this boldness is backed by reconnaissance-based knowledge about the victim’s security posture or simply a sign of arrogant tactics, is not known.

Today, after at least seven years of operation, the Dukes continue their attacks, and also continue to add new tools and techniques.

Mika Aaltola from the Finnish Institute of International Affairs explains:

One important disruptive characteristic of cyber hacking stems from the difficulty of attributing the perpetrators. This fogginess enables further attacks. It also leads to problems in establishing and maintaining effective deterrence.

So how does it affect your organization?

Primarily, the Dukes use spear-phishing email when attempting to infect victims with their malware. Spear-phishing is a growing tactic among other criminals as well, targeting for example the financial sector and other critical services. This method is behind most cyber-attacks. These spear-phishing emails range from mails that are designed to look like spam messages and spread to large numbers of people, to highly targeted emails addressed to only a few people, and with content that is highly relevant to the intended recipients.

The objectives of the Dukes can be for example:

  • Stealing data
  • Getting a back-door to the systems
  • Acquiring screenshots
  • Elevating user rights
  • Stealing passwords or password hashes
  • Distributed Denial of Service attack
  • Getting a tool to spread disinformation and impersonation in the social media
  • Download additional malware and updates

In the context of the Dukes, the selected targets typically work in an externally exposed roles such as ambassadors or other senior policy figures, whose daily job is to deal with urgent issues and to communicate with a wide range of allies and non-allies. Persons in such roles usually cannot be too picky about which email attachments or web links they choose to open or not. These individuals can truly be described as working in a high-risk environment.

It is clear that educating employees is one very important tool in trying to fight spear-phishing campaigns such as these. Employees exposed to threats of phishing and watering holes need to understand these risks, and to learn to recognize the most common tactics employed to distract the user. These employees also need to have the best protection against phishing and watering hole attacks, and so organizations need to make sure they’re providing security strong enough to mitigate these kinds of attacks.

Erka continues:

However, it is equally important to make sure the people responsible for the security in the organization are easy to approach, and have all the necessary tools to examine any suspicious links, emails or files in isolated conditions. Improving the overall security practices within the organization also helps combat the risks. Why use macro-enabled Office documents that the recipient is just expected to accept, or PDF files that include JavaScript for no obvious reason? Cutting down on these types of insecure practices would easily help minimize the attack surface available for the criminals.

The Dukes often use decoys such as image files, document files, Adobe Flash videos, or similar content to distract the recipients from the malicious activity. While the target is busy studying the decoy, for example a monkey video, or a more factual-looking report or invitation, The Dukes can move forward in the network to spy on the target. One must realize that a typical malware infection does not look, feel or sound like anything in particular. There are no mythical lights flashing or a computer “acting odd”. The operating system spawns a new process and the victim has been owned even before the user has read the headline of the decoy document.

The Dukes have used exploits in their attacks, but usually haven’t discovered the vulnerabilities or designed the original exploits themselves. In many cases, it looks like the group simply repurposed publicly available exploits or proofs of concept.

As Erka puts it:

It rapidly becomes clear that it has been very easy for the Dukes to penetrate the target networks over and over again. One reason could be that organizations take their time patching vulnerabilities, leaving the door wide open for the attackers using known vulnerabilities.

This further confirms that patching software vulnerabilities is a fundamental part of a security posture – not enough to keep one standing in itself, but essential nonetheless.

Mika Aaltola further states:

It is clear that the Dukes’ attacks that have been repeatedly taking place since 2008 signal low Western cyber-deterrence. Repeated attacks by the same perpetrator with very similar tools strongly suggest a failure of both passive and active deterrence methods.

The Dukes: 7 years of Russian cyberespionage
Whitepaper exploring the Dukes set of malware tools

Download the technical whitepaper that tells the story of the Dukes and explains the tools and techniques they use. Give your details below and we’ll send your copy by email.

Post Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s