Malware links Russians to 7-year global cyberspy campaign

Security researchers have shone the spotlight on an ongoing campaign by Russian cyberspies to snoop on western governments and NGOs, as well as targets in Georgia, using the Dukes malware.

The Dukes group of attackers employ a family of unique malware toolsets used to steal information by infiltrating computer networks, before siphoning off compromised data.

The group has been using malware toolkits to support Russian intelligence gathering for at least seven years, according to Finnish security firm F-Secure.

Artturi Lehtiö, F-Secure’s researcher heading the investigation, said the new analysis strengthens claims that the group is backed by Russia and is working to support Russian intelligence gathering.

“The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests,” Lehtiö explained.

Victims include the former Georgian Information Centre on NATO (now called the Information Centre on NATO and EU), the Ministry of Defence of Georgia, the ministries of foreign affairs in both Turkey and Uganda, and other government institutions and political think tanks in the US, Europe and Central Asia.

“[The] connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed, and what the objectives were. And all the signs point back to Russian state-sponsorship.”

The Duke group uses nine different variants of malware toolsets, and Lehtiö’s discovery of two new variants allowed researchers to make new connections between the group and the attacks.

Lehtiö’s whitepaper, The Dukes: 7 Years of Russian Cyberespionage, is available via F-Secure Labs site here (PDF). ®