For the past seven years, a cyberespionage group operating out of Russia on the orders of Tsar Putin have been conducting a series of malware campaigns targeting governments, political think tanks and other organizations.
Researchers at F-Secure have been looking into the antics of an outfit called "the Dukes" which has been active since at least 2008. The group has evolved into a methodical developer of "zero-day" attacks, pulling together their own research with the published work of other security firms to provide a more detailed picture of the people behind a long-running family of malware.
The Dukes specialise in "smash and grab" attacks on networks, but have also used subtle, long-term intrusions that harvested massive amounts of data from their targets.
The group's targets do include criminal organisations operating in the Russian Federation, which suggest there is some form of policing element to it. But they are mostly interested in Western governments and related organisations, such as government ministries and agencies, political think tanks and governmental subcontractors.
F-Secure team wrote. "Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organisations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs."
The group was named after its earliest-detected malware, known as PinchDuke. Its targets were associated with the Chechen separatist movement. Later that year they were going after Western governments and organisations in search of information about the diplomatic activities of the United States and the NATO.
Most of the attacks used spear phishing emails as the means of injecting malware onto targeted systems, one of their attacks have spread malware through a malicious Tor exit node in Russia, targeting users of the anonymising network with malware injections into their downloads.
The targets have always followed Russian government interests. There are a number of Russian-language artifacts in some of the malware, including an error message in PinchDuke. GeminiDuke also used timestamps that were adjusted to match Moscow Standard time.
Before the beginning of the Ukraine crisis, the group began using a number of decoy documents in spear phishing attacks that were related to Ukraine. They included a letter undersigned by the First Deputy Minister for Foreign Affairs of Ukraine.
However, after the crisis happened the attacks dropped off suggesting that it was an intelligence gathering operation. It is also a big operation, which, if operating in Russia would most likely require state acknowledgement, if not outright support.