F-Secure Labs has warned that a hacker group known as “the Dukes” is engaged in Russian intelligence gathering.
According to a report from F-Secure, the Dukes have used a family of unique malware toolsets to steal information by infiltrating computer networks and sending the data back to attackers. The report stated the group has been using these toolsets to launch cyber attacks that support Russian intelligence gathering for at least seven years.
Targets have included the Ministry of Defence of Georgia, the ministries of foreign affairs in both Turkey and Uganda, as well as other government institutions and political think tanks in the US, Europe and Central Asia, according to F-Secure.
The F-Secure researcher heading the investigation, Artturi Lehtiö, said: “The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests. These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed and what the objectives were. And all the signs point back to Russian state sponsorship.”
F-Secure’s report highlights nine variants of malware toolsets.
Patrik Maldre, a junior research fellow with the International Centre for Defence and Security in Estonia, said: “The connections identified in the report shed new light on how heavily Russia has invested in offensive cyber capabilities and demonstrate that those capabilities have become an important component in advancing its strategic interests.”
Mika Aaltola, programme director for the global security research programme at the Finnish Institute of International Affairs, said: “Smaller countries, such as Sweden and Finland, are particularly vulnerable to this kind of espionage. Nordic and Baltic countries are always trying to balance Russian and western interests, and Russia uses its cyber attack capabilities to find ways to tip the balance in its favour.”
The report stated that it was likely professional software developers were behind the Dukes. Given the times when the hackers work and the fact that the Russian government was not targeted, the report stated: “We believe, with a high level of confidence, that the Dukes toolsets are the product of a single, large, well-resourced organisation (which we identify as the Dukes) that provides the Russian government with intelligence on foreign and security policy matters in exchange for support and protection.”
The attacks seem to come from highly targeted spam email messages. As Computer Weekly has previously reported, two-factor authentication (2FA) for all remote access services is key to defending against industrial and government cyber espionage groups.