Patrik Maldre, RKK/ICDS July 23, 2015
Governments rarely provide concrete details about the nature of the cyber threats that they face. That is why the Estonian Internal Security Service’s identification of CosmicDuke as one of the “advanced, persistent threats” (APTs) that affected Estonia’s national security in 2014 was particularly relevant and intriguing. Last week’s discovery of SeaDuke, which exhibits several similarities to CosmicDuke, provides further motivation for taking a closer look at the cyber threat posed by the Duke malware family and the actor(s) behind it.
In terms of functionality, CosmicDuke is a Trojan that can log your keystrokes, take screenshots, steal your e-mail password, export your cryptographic certificates, analyze your files, and exfiltrate the most interesting data from your computer to its own remote command-and-control server. The malware is loaded onto target computers through the use of “spearphishing”, such as by enticing the user to click on an e-mail attachment from a seemingly trustworthy source that is very relevant to their professional interests (i.e. “Ukraine Gas Pipelines Security Report March 2014”) which opens both a decoy document and downloads the malicious code. Finally, CosmicDuke protects itself with layers of encryption and is programmed to avoid antivirus processes and obstruct manual analysis.
The average user may never know (or care) about its presence. However, CosmicDuke doesn’t target the average user; it is part of a sophisticated, multi-year espionage campaign aimed at Euro-Atlantic governments, research institutions, corporations, and foundations. The actor(s) behind CosmicDuke and its “siblings” MiniDuke, OnionDuke, and CozyDuke, have been active at least since 2011. Besides Estonia, their targets have included government entities in Ukraine, Belgium, Portugal, and many other European countries. Furthermore, CozyDuke is reportedly behind the 2014 attacks on the US State Department and the White House. The discovery of SeaDuke demonstrates that the actor(s) behind it shows no sign of slowing down production or implementation.
Who or what, then, is behind this series of espionage campaigns that is enabled by the Dukes? Researchers at security companies such as F-Secure, Symantec, Kaspersky Labs, and BitDefender have been tracking the Duke family for years. They point to similarities in the malware strands’ functionality, infection vectors, working hours, command-and-control infrastructure, and (Russian) language patterns evident in coding, which serve as indications that either one actor is behind the family’s operation or, at the very least, that the various actors are working together closely. The choice of high-profile strategic targets in NATO and EU countries, as well as the discovery in 2014 of a Tor exit node that was based in Russia and used to spread OnionDuke, further indicate that the malware has been deployed by a Russian group in support of Russia’s strategic interests. Furthermore, the complexity and duration of the campaigns highlight the extensive amount of resources, both in terms of technical skill and hours worked, that have been necessary to conduct this level of espionage. The accrued evidence has led observers to conclude that the most plausible theory of the group’s identity is that it is either a state-sponsored Russian cybercriminal syndicate or even a branch of the Russian security services.
It does not take much effort to conjure up any number of scenarios in which the security of a nation-state can be undermined by espionage enabled by malware in the Duke family. Imagine, if you will, a European country that hopes to join NATO in the near future. A high-level official from an influential and supportive partner country unwittingly infects their workstation with CosmicDuke and the information security branch of the organization does not detect or prevent the intrusion. The official then uses their compromised e-mail to refer to plans to actively promote NATO enlargement in the year before the next summit. CosmicDuke malware exfiltrates this information to the actor that is behind the malware, who then realizes that time is of the essence to prevent this undesirable outcome. It mobilizes its other resources to immediately subvert and ultimately prevent enlargement through the use of aggressive espionage operations, information warfare to undermine public support, and threats of energy supply disruptions to discourage the business elite from promoting NATO membership. This is but one of an innumerable amount of ways in which the Dukes could pose a risk to Euro-Atlantic security and solidarity. Surely the reader can think of even more perilous scenarios.
In conclusion, policymakers and analysts in the field of international security are increasingly adjusting to the role that cyber threats play in the overall strategic environment. The Estonian Internal Security Service, which deals with cyber attacks that are initiated by a foreign state or that threaten national security, provided an unusual window into the threats that Estonia faced last year. However, the Dukes and their masters are not just a threat to Estonia but to the wider Euro-Atlantic community. An overview of the threat actors in this domain is fundamental for a fuller understanding of the problem set; it is difficult to lead the defense against that which one is not aware of or does not comprehend.
Cyber Threat Profile – The Dukes