Dukes hacking group 'based in Moscow', claims F-Secure

Even Russia's Kaspersky concurs with F-Secure's conclusion

The Dukes hacking group is based in Moscow and funded by the Russian government - that is the conclusion of the report into the hackers' activities released by security software company F-Secure this morning.

And that would appear to be a conclusion shared by F-Secure's Russian rival Kaspersky, which claims that the group's working times coincides with Moscow time, as well as timestamps taken from samples of GeminiDuke, one of the toolsets used by the group between January 2009 and December 2012.

"All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation. Further, we are currently unaware of any evidence disproving this theory," claims F-Secure in its report.

It continues: "Kaspersky noted that based on the compilation timestamps, the authors of the Duke malware appear to primarily work from Monday to Friday between the times of 6am and 4pm UTC+0 [11].

"This corresponds to working hours between 9am and 7pm in the UTC+3 time zone, also known as Moscow Standard Time, which covers, among others, much of western Russia, including Moscow and St. Petersburg.

"Based on the length of the Dukes' activity, our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing, we believe the group to have significant and most critically, stable financial backing."

It also claims that the group is unusually disciplined and focused in its activities - compared to even well-organised criminal cyber-gangs.

"The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller, more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes. We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets," claims F-Secure.

Furthermore, the targets attacked by the Dukes hacking group closely correlate with Russian state foreign policy activity. For example, initially focusing on Chechnya and Georgia back in 2009, but switching focus to Ukraine in 2013, when the Russian government upped its campaign to take the Crimea from neighbouring Ukraine, and backed rebels against the Ukrainian government in parts of eastern Ukraine.

It has also targeted governments across Eastern Europe, especially Poland, and ran a campaign against the illegal drugs trade - an unusual target for hackers to focus on.

And the campaigns by the group have continued into 2015, while the group frequently updated their attack malware as it was uncovered by security software and services vendors, morphing in a bid to remain hidden.

Perhaps most intriguing of all in F-Secure's report, however, is the claim that the group set-up a malicious Tor node, which "appeared to be maliciously modifying any executables that were downloaded through it over a HTTP connection".

Originally uncovered by Leviathan Security Group in October 2014, "executing the modified applications obtained this way would result in the victim being infected with unidentified malware". F-Secure analysis was able to identify it as part of the Duke group of malware - specifically MiniDuke and CosmicDuke.

Variants of the OnionDuke malware successfully penetrated the foreign ministries of several East European countries during spring of 2014.

"The functionality of the OnionDuke variant is derived from a number of modules. While one of these modules gathers system information and another attempts to steal the victim's usernames and passwords, as one would expect from a malware used for a targeted attack, the other two known OnionDuke modules are quite the opposite; one is designed for use in DoS attacks and the other for posting predetermined messages to the Russian VKontakte social media site.

"This sort of functionality is more common in criminality-oriented botnets, not state-sponsored targeted attacks," it claims, adding that the group might have had a money-raising criminal sideline.

"The counter to that argument however is that the value of stolen credentials from users in the countries with the highest percentage of OnionDuke bots (Mongolia and India) are among the lowest on underground markets."

Read: Russian government behind seven-year cyber-espionage campaign by 'Dukes' hacking group

Computing's Security Summit 2015 will be held in London on 26th November. Book your place early to avoid disappointment - attendance is free to qualifying end-users. Register here