A new report from F-Secure has found evidence that the Russian government is behind the widespread Duke malware strain, orchestrating a seven-year campaign that has targeted Chechnya, NATO and possibly as far as the State Department and White House. Titled The Dukes: Seven Years of Russian Cyberespionage, the report details the results of research dating back to 2008, connecting the dots between more than a dozen different incidents. The team behind the Duke malware waged their campaign with nine different variants, each tailored to specific systems and situations. The variants have been the subject of a number of security reports over the years, but this is the most definitive evidence yet that the Russian government has been sponsoring the attacks.
F-Secure's conclusion is based on a number of factors. A Russian-language error message was found within one part of the code base, and the group operating the programs seemed to act largely within working hours on Moscow time — suggesting the group was Russian, although not necessarily aligned with the Russian government. From there, F-Secure looked at the group's targets and apparent resources. Duke's growth suggested a steady flow of resources aimed at a string of government-related targets: embassies, parliaments, and ministries of defense. Notably, the group never targeted the Russian government. Even after security firms made their activities public, the Duke group didn't change tactics, suggesting they weren't concerned about being apprehended.
"We believe the main benefactor... of their work is a government."
"Based on our establishment of the group’s primary mission, we believe the main benefactor (or benefactors) of their work is a government," the report reads. "But are the Dukes a team or a department inside a government agency? An external contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We don’t know." The report also declines to conclusively name Russia as the government involved, but acknowledges that it is by far the most likely candidate: "All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation. Further, we are currently unaware of any evidence disproving this theory."
Notably absent from the report is any mention of recent digital attacks on the State Department and White House computer systems. Both attacks have been loosely linked to the Duke malware family, but the sensitive nature of the compromise has made it difficult to research. F-Secure researchers say both attacks seem like likely candidates for the Duke group, but it's hard to be certain. "The US State Department and White House are both the type of organizations that we know the Dukes primarily target," said Artturi Lehtiö, a researcher at F-Secure. "Based on what has been reported in the news, we believe it is possible that the Dukes are also behind the recent compromises of the State Department and the White House."