F-Secure report details Russian cyber attacks on the U.S., NATO and others

Reports, Threats & Hacks

Much of the world woke to headlines Thursday morning featuring revelations from a new F-Secure whitepaper on an advanced-persistent threat (ATP) group known as “the Dukes”. In our News from the Labs blog, Labs researcher Artturi Lehtiö wrote:

We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making.

The reports note that the targets include many entities that the Russian government isn’t particularly friendly with:

“The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

The Verge‘s Russell Brandom walked through the evidence that led to the Labs’ conclusion that the attacks are likely Russian-backed:

“A Russian-language error message was found within one part of the code base, and the group operating the programs seemed to act largely within working hours on Moscow time — suggesting the group was Russian, although not necessarily aligned with the Russian government. From there, F-Secure looked at the group’s targets and apparent resources. Duke’s growth suggested a steady flow of resources aimed at a string of government-related targets: embassies, parliaments, and ministries of defense. Notably, the group never targeted the Russian government. Even after security firms made their activities public, the Duke group didn’t change tactics, suggesting they weren’t concerned about being apprehended.”

ArsTechnica‘s Sean Gallagher explicated the evidence and noted the Labs’ conclusion, “Such an organization operating in Russia would most likely require state acknowledgement, if not outright support.”

Artturi explained to Brandom that recent attacks on White House and the State Department appear to be linked the attacks detailed in his report:

“The US State Department and White House are both the type of organizations that we know the Dukes primarily target. Based on what has been reported in the news, we believe it is possible that the Dukes are also behind the recent compromises of the State Department and the White House.”

Jarno Limnell, a professor of cybersecurity at Finland’s Aalto University,told the International Business Times’ David Gilbert that he fears that if this report is true, escalation is inevitable:

“Losing digital information is so important for a society’s competitiveness, I think we are not far from the situation where response to cyberespionage will be physical.”

“It is, of course, the most recent in a long line of reports linking Russia to significant cybercrime,” Gizmodo‘s Jamie Condliffe wrote. “How it’s stopped remains anyone’s guess.”

We, of course, are not so pessimistic.

NBC News’ Arjun Kharpal highlighted described the somewhat sophisticated social engineering used to mask the infection:

“The Duke group mainly uses ‘spear-phishing’ to attack victims – a tactic that involves sending an email with a malicious web link. Often the group would use decoys – image files or videos – to distract a victim during the infection process and malicious activity taking place. In one instance, a video of a TV commercial showing monkeys at an office was sent.”

Advanced threats are most likely to target organizations that are protecting high value data. Generally, but not always, these groups, especially governments, have the resources in order to prevent easy access to hackers.

In our Business Insider blog, Eija wrote:

“It is clear that educating employees is one very important tool in trying to fight spear-phishing campaigns such as these. Employees exposed to threats of phishing and watering holes need to understand these risks, and to learn to recognize the most common tactics employed to distract the user. These employees also need to have the best protection against phishing and watering hole attacks, and so organizations need to make sure they’re providing security strong enough to mitigate these kinds of attacks.”

F-Secure Cyber Security Advisor Erka Koivunen notes that smart security can prevent many risks:

Why use macro-enabled Office documents that the recipient is just expected to accept, or PDF files that include JavaScript for no obvious reason? Cutting down on these types of insecure practices would easily help minimize the attack surface available for the criminals.

0 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like