Cyberespionage campaign targeting the West linked to Russian government

F-Secure researchers say a hacking campaign which has run for nearly a decade is sponsored by the Russian government.

screen-shot-2015-09-18-at-09-50-25.png

A sophisticated Russian cyberespionage campaign is believed to have targeted Western and Asian victims for intelligence gathering over at least the last seven years.

On Thursday, security firm F-Secure released a report documenting an investigation into a hacking group focused on surveillance, data theft and intelligence gathering. According to the firm, the Russian group, dubbed "the Dukes," are linked to a number of state-sponsored attacks against governments and organizations across Asia, Europe and the United States.

The whitepaper (.PDF) says the Dukes use a number of "unique" malware toolsets to infiltrate computer networks, spy upon users, steal valuable information and send it back to the controllers.

F-Secure believes this group has been supporting Russian spying efforts for at least seven years.

The Dukes use nine different malware toolsets to reach their goals. While many of the kits are already known, two new malware variants allowed the research team to connect the dots -- and link the cyberespionage group to the Russian government.

The Dukes mainly use spear-phishing tactics to dupe their victims. Targeted emails containing malicious content or links are sent in either a mass-mailing or individual manner, with extra decoys -- such as a video showing monkeys or images -- are included to distract the victim while the infection sinks in.

F-Secure calls the group "well-resourced, highly dedicated and organized," as well as "unusually confident." If a malware toolkit in use is discovered, they will attempt to modify their tools to evade detection, but they will not stop operations to do so. Instead, the group -- and perhaps their sponsors -- carry on as normal, altering their tactics as they go.

"These campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and exfiltration of as much data as possible," the report says.

"If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering."

Specific targets include the former Georgian Information Center on NATO, the Ministry of Defense of Georgia, the ministries of foreign affairs in both Turkey and Uganda and other government institutions and political think tanks.

While it is difficult to say exactly which sponsor is responsible for the group's operations, F-Secure believes all the signs point to Russia -- including the victim selection and language clues hidden within malware code.

In some cases, even when toolsets have been revealed, the group disregards the publicity. The researchers believe this indicates the Dukes are "able to operate with no apparent fear of repercussions on getting caught." In turn, this apparent confident suggests the only benefactor which could offer such protection would be a governing party.

In a statement, lead researcher Artturi Lehtiö said:

"The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests.

These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed, and what the objectives were. And all the signs point back to Russian state-sponsorship."

ZDNet has reached out to the Kremlin and will update if we hear back.

Read on: Top picks