Information Warfare: The Dukes Of Cyber Hazard


October 11, 2015: There are some things you wish you didn’t know. Case in point are the hidden risks of using computers to go online. Internet security researchers collect enormous amounts of data about software hackers create (malware) to break into networks and computers they are not supposed to be in. For example researchers have been finding more malware systems that share common characteristics that eventually reveal the origin and location of the authors. One group, based in Russia and apparently financed, supervised and protected by the Russian government has come to be called “The Dukes.” This is because the family of malware this Russian group created used “Duke” as part of the name given to each new bit of malware. Thus in 2012, before it became clear exactly who the Dukes were, a large scale Internet based attack against specific civilian, military, and government officials was discovered and provided enormous quantities of malware to be dissected. This turned out be a very clever piece of malware and was called MiniDuke. The attacks using MiniDuke were directed at specific individuals in Ukraine, Belgium, Portugal, Romania, the Czech Republic, the United States, Hungary, and Ireland. The targets in the United States and Hungary were initially only non-government organizations.

MiniDuke delivered a secret software program, via an infected PDF file that monitors PCs it gets into, that passes back keyboard activity and files to servers in Panama and Turkey. MiniDuke was unique in terms of the attention paid to keeping its presence secret from network security systems. MiniDuke stayed dormant until it senses it is not being monitored, then seeks out a specific Twitter feed that the hacker uses to communicate with infected machines.

MiniDuke carried out its attack using an official looking email, with a PDF file attached, sent to specific individuals. It is an email the recipients were not expecting. This is known in the trade as "spear fishing" (or "spear phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends data from the email recipient's PC to the spear fisher's computer. In the last few years an increasing number of military, corporate, and government personnel have received these official-looking emails with a PDF document attached and asking for prompt attention.

MiniDuke was one of the most sophisticated spear phishing attacks seen so far. It shared some characteristic of professional American–Israeli efforts like Duqu but also incorporates some new ideas (heavy use of Twitter, a very gradual infection process, and lots of scouting). At first it was unclear where it came from, or at least no one has released any information on that yet. But as more security researchers examined MiniDuke code that got left behind and compared that code to what had been found in other attacks, and subsequent ones, it eventually became clear that MiniDuke was one of over a dozen “Duke” malware systems that have been showing up since 2008 and are still being used and upgraded.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close