A new report published by F-Secure Labs links a number of state-sponsored cyberattacks to a hacking group engaged in Russian intelligence gathering. The whitepaper provides an in-depth analysis of a hacking group called “The Dukes”, and outlines over seven years of its attacks against governments and related organisations in the United States, Europe and Asia.
The report provides a detailed account of “The Dukes” – a group of attackers using a family of unique malware toolsets used to steal information by infiltrating computer networks and sending the data back to attackers. According to the report, the group has been using these toolsets to launch cyberattacks that support Russian intelligence gathering for at least seven years.
Specific targets of the attacks discussed in the report include the former Georgian Information Center on NATO (now called the Information Center on NATO and EU), the Ministry of Defense of Georgia, the ministries of foreign affairs in both Turkey and Uganda and other government institutions and political think tanks in the United States, Europe and Central Asia.
Artturi Lehtiö, F-Secure’s researcher heading the investigation, said the new analysis strengthens claims that the group is backed by Russia and is working to support Russian intelligence gathering. “The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests. These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed and what the objectives were. And all the signs point back to Russian state-sponsorship.”
The Duke group uses nine different variants of malware toolsets and, while many of them were previously known to researchers, it was Lehtiö’s discovery of two new variants that allowed researchers to make new connections between the group and the attacks. According to Patrik Maldre, a junior research fellow with the International Centre for Defence and Security in Estonia, it provides vital information that researchers and analysts can now use to put together a bigger picture of how cyberattacks are used to support Russian intelligence gathering and political objectives.
“The connections identified in the report have significant international security implications, particularly for states in Eastern Europe and the Caucasus,” said Maldre. “They shed new light on how heavily Russia has invested in offensive cyber capabilities and demonstrate that those capabilities have become an important component in advancing its strategic interests. By linking together seven years of individual attacks against Georgia, Europe and the United States, the report confirms the need for current and prospective NATO members to strengthen collective security by increasing cyber cooperation in order to avoid becoming victims of Russian information warfare, espionage and subterfuge.”
Mika Aaltola, program director for the Global Security research program at the Finnish Institute of International Affairs, said the report also has special significance for countries in Northern Europe. “Smaller countries, such as Sweden and Finland are particularly vulnerable to this kind of espionage. Nordic and Baltic countries are always trying to balance Russian and Western interests, and Russia uses its cyberattack capabilities to find ways to tip the balance in its favour. Attributing cyberattacks is notoriously challenging, which lets Russia deny its activities in this space and exert influence in much softer, much less visible ways.”
Both Maldre and Aaltola are currently working on research that incorporates Lehtiö’s study on the Dukes. Lehtiö’s whitepaper, called “The Dukes: 7 Years of Russian Cyberespionage”, is now available for download from F-Secure Labs.
