The Dukes: Putin’s Cyberespionage Army Waged Seven-Year Spying Campaign Against U.S. Government, NATO, Others

As U.S. President Barack Obama prepares to go head-to-head with China’s President Xi Jinping in Washington next week over claims of state-sponsored industrial espionage, he now has another cybersecurity issue to confront: a sophisticated hacking group believed to be working for the Russian Federation, which has been attacking Western government institutions for years, including targets in the U.S., according to a new report.

Codenamed the Dukes, the group has been linked to the attack on the White House in October 2014, when hackers breached the email system of the Executive Office of the President, crippling the system for months and accessing nonclassified information, including some of President Obama’s emails and his schedule.

Attribution in cyberattacks is notoriously difficult, but the security researchers at Finnish security company F-Secure, which published the report Thursday, have concluded that the Russian government is involved.

“Based on the presented evidence and analysis, we believe, with a high level of confidence, that the Duke toolsets are the product of a single, large, well-resourced organization (which we identify as the Dukes) that provides the Russian government with intelligence on foreign and security policy matters in exchange for support and protection.”

Specific targets of the group include the ministries of defense in Georgia and Estonia, foreign affairs ministers in Turkey and Uganda, and political think tanks in the U.S., Europe and Central Asia.

'They Believe They Are Untouchable'

Linking the attacks to a Russian group was relatively easy thanks to clues in the code samples analyzed by F-Secure, including the use of Russian language within the code, the time zones the code was compiled in, and analysis of the group’s targets relating to Russian interests.

However, claiming the group is linked to Vladimir Putin’s government is a tougher sell. Speaking to International Business Times, F-Secure’s Mikko Hypponen explained his company’s bold decision to attribute the attacks to the Russian Federation.

“These guys have been operating for seven years now and some of their operations have been exposed before and they don’t change in the least. They don’t change their operations, which very clearly tells us that these guys aren’t worried about the rule of law, they aren’t worried about getting caught, which means they believe they are untouchable. And if you really believe you are untouchable, then you are the government or you are someone who is working for the government.”

The Kremlin had not responded to IBT's request for comment by the time of publication.

Jarno Limnell, a professor of cybersecurity at Finland's Aalto University, believes that this revelation, if true, will increase suspicion and weaken relationships between Russia and Western countries, and that a physical response to cyberattack might not be far off.

"Political and economic espionage -- loosing critical information -- is crucial to European countries, too. How the U.S. will now respond to China's and Russia's economic and political cyberespionage is an important precedent for European countries, who must be ready to both detect cyberespionage in their networks and put the right policies in place. Losing digital information is so important for a society's competitiveness, I think we are not far from the situation where response to cyberespionage will be physical."

Tools Of Their Trade

The tools used by the Dukes, previously uncovered by F-Secure and researchers at other security companies, include malware toolsets such as MiniDuke, CosmicDuke, OnionDuke and CozyDuke.

When trying to breach high-profile targets, the group’s modus operandi sees it initially use a rather crude and unsophisticated attack against its victim, with detection not a big concern.

However, if the group discovers valuable information during the initial attack, it will switch tactics and use more sophisticated and stealthy methods to silently monitor the networks in question, which focus on long-term intelligence and monitoring of the compromised systems.

The group has consistently evolved its malware over the past seven years, but rather than simply shut down its operation when its presence was made public, the group continued to use the malware and slowly updated it over a period of time.

Attacks against targets in the U.S. date back to 2009, with F-Secure reporting at the time that the group was already “actively interested in political matters related to the United States and NATO, with one attack carried out against a US-based foreign policy think tank.”