Breaking News Emails
Hackers backed by Moscow have been carrying out a seven-year campaign to steal intelligence information from western governments and organizations, a report from cybersecurity researchers F-Secure claims.
Specific targets of the attacks detailed in the report include the former Georgian Information Center on NATO, the Ministry of Defense of Georgia, the ministries of foreign affairs in both Turkey and Uganda and government institutions and think tanks in the U.S., Europe and central Asia.
The hacking collective named the "Duke group" have been using nine different variants of "malware" -- or malicious software -- to infiltrate networks and gather sensitive information.
Some of the malware has been disclosed to the public over the years, but F-Secure had discovered two previously unknown versions that allowed the researchers to link the group to the Russian government. CNBC contacted the Kremlin but received no response.
"These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed and what the objectives were. And all the signs point back to Russian state-sponsorship,"Artturi Lehtiö, F-Secure's researcher heading the investigation, said in a statement published Thursday.
Tactics using monkey videos
The Duke group mainly uses "spear-phishing" to attack victims –- a tactic that involves sending an email with a malicious web link. Often the group would use decoys -– image files or videos –- to distract a victim during the infection process and malicious activity taking place. In one instance, a video of a TV commercial showing monkeys at an office was sent.
In addition, the spear-phishing emails range from ones designed to look like spam messages and addressed to a large number of recipients, to highly-targeted ones for a specific person.
‘Unusual confidence’ of group
Each piece of malware worked in slightly different ways to achieve goals such as stealing passwords and other information. But once the malware was detected by security researchers, the Duke group would not stop attacking but would instead modify their code.
"The Dukes rapidly react to research being published about their toolsets and operations. However, the group (or their sponsors) value their operations so highly that though they will attempt to modify their tools to evade detection and regain stealth, they will not cease operations to do so, but will instead incrementally modify their tools while continuing apparently as previously planned," F-Secure's report said.
"In some of the most extreme cases, the Dukes have been known to engage in campaigns with unaltered versions of tools that only days earlier have been brought to the public's attention by security companies and actively mentioned in the media. In doing so, the Dukes show unusual confidence in their ability to continue successfully compromising their targets even when their tools have been publicly exposed, as well as in their ability to operate with impunity."
Attributing cyber attacks to a certain country can be difficult as several tactics can be used to falsify the location where a hack is coming from.
F-Secure said in its report that several factors helped it come to the conclusion that the group was Russian and backed by the Kremlin.
Dukes has "stable financial backing" and has operated large- and small-scale attacks at the same time with "apparent coordination" leading the conclusion that the group is a "single, large, well-coordinated organization with clear separation of responsibilities and targets".
The research firm also said that the fact that the Duke group continues to carry out the attacks even after their malware has been discovered show they can "operate with no apparent fear of repercussions on getting caught."
"We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates," F-Secure's report said.
Finally, the cyber researchers said they found instances of Russian-language in malware samples from error messages.