Security researchers at F-Secure have lifted the lid on a major new APT group they claim has been operating for the past seven years, gathering intelligence from government and related organizations in the US, Europe and Asia.
Activity linked to APT29, or “The Dukes” as the group has been dubbed by the Finnish security vendor, dates back to 2008, with the first known attacks against the West coming a year later.
It uses nine different malware variants – some of them, such as MiniDuke, were already known to researchers but two, including CloudDuke, are newly revealed in this report.
It details a well-resourced and determined group mainly out to target Western organizations.
F-Secure explained the slightly unusual MO of the group:
“These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering.”
In addition to these raids, the group apparently undertook smaller, more targeted campaigns; the targets and timings of which “appear to align with the known foreign and security policy interests of the Russian Federation at those times.”
The group is quick to react to new research, modifying tools to remain hidden from view, but on other occasions uses tools which have already been publicly outed, F-Secure said.
This confidence suggests that it has no fear of repercussions – further strengthening the case for The Dukes as a state sponsored group.
“They shed new light on how heavily Russia has invested in offensive cyber capabilities and demonstrate that those capabilities have become an important component in advancing its strategic interests,” argued Patrik Maldre, a junior research fellow with the International Centre for Defence and Security in Estonia.
“By linking together seven years of individual attacks against Georgia, Europe and the United States, the report confirms the need for current and prospective NATO members to strengthen collective security by increasing cyber cooperation in order to avoid becoming victims of Russian information warfare, espionage and subterfuge.”
The infection vector of choice for The Dukes is, as usual, a spear phishing email. However, certain OnionDuke variants were spread via a malicious Tor node designed to trojanize legitimate apps on-the-fly, the report revealed.
Despite its apparent sophistication and state-backing, however, the group is only thought to have so far exploited one zero day vulnerability – CVE-2013-0640 (MiniDuke).
While the researchers conclude that the group’s “primary mission is the collection of intelligence to support foreign and security policy decision-making” for the Russian Federation, it’s unable to clarify whether it’s a team inside a government agency or an arm’s length body.
This theory is backed up by Kaspersky Lab research which found Russian language script in PinchDuke samples, and that the Duke malware authors work Monday to Friday during normal office hours in the time zone that covers Moscow, St Petersburg and much of western Russia.