THEDUKES7yearsofRussiancyberespionage This whitepaper explores the tools - such as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, etc- of the Dukes, a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. TLP: WHITE F-SECURE LABS THREAT INTELLIGENCE Whitepaper 2 THE DUKES Over 7 years of Russian cyberespionage CONTENTS EXECUTIVE SUMMARY 3 THE STORY OF THE DUKES 4 Etymology: a note on names�����������������������������������������������������������������������������������4 2008: Chechnya ���������������������������������������������������������������������������������������������������������4 2009: First known campaigns against the West ���������������������������������������������������5 2010: The emergence of CosmicDuke in the Caucasus ���������������������������������������6 2011: John Kasai of Klagenfurt, Austria ������������������������������������������������������������������7 2011: Continuing expansion of the Dukes arsenal������������������������������������������������7 2012: Hiding in the shadows�������������������������������������������������������������������������������������8 2013: MiniDuke flies too close to the sun���������������������������������������������������������������8 2013: The curious case of OnionDuke���������������������������������������������������������������������9 2013: The Dukes and Ukraine�����������������������������������������������������������������������������������9 2013: CosmicDuke’s war on drugs�������������������������������������������������������������������������10 2014: MiniDuke’s rise from the ashes �������������������������������������������������������������������10 2014: CosmicDuke’s moment of fame and the scramble that ensued�������������10 2014: CozyDuke and monkey videos��������������������������������������������������������������������� 11 2014: OnionDuke gets caught using a malicious Tor node�������������������������������� 11 2015: The Dukes up the ante������������������������������������������������������������������������������������12 2015: CloudDuke������������������������������������������������������������������������������������������������������ 14 2015: Continuing surgical strikes with CosmicDuke������������������������������������������� 14 TOOLS AND TECHNIQUES OF THE DUKES 16 PinchDuke������������������������������������������������������������������������������������������������������������������16 GeminiDuke���������������������������������������������������������������������������������������������������������������17 CosmicDuke ��������������������������������������������������������������������������������������������������������������18 MiniDuke��������������������������������������������������������������������������������������������������������������������19 CozyDuke������������������������������������������������������������������������������������������������������������������20 OnionDuke ����������������������������������������������������������������������������������������������������������������21 SeaDuke��������������������������������������������������������������������������������������������������������������������22 HammerDuke�����������������������������������������������������������������������������������������������������������23 CloudDuke����������������������������������������������������������������������������������������������������������������24 INFECTION VECTORS 25 DECOYS25 EXPLOITATION OF VULNERABILITIES 25 ATTRIBUTION AND STATE-SPONSORSHIP 26 BIBLIOGRAPHY28 APPENDIX I: DATA LISTINGS 29 Over 7 years of Russian cyberespionage THE DUKES 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. ...the Dukes show unusual confidence in their ability to continue successfully compromising their targets [...], as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash-and-grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long-term intelligence gathering. In addition to these large-scale campaigns, the Dukes continuously and concurrently engage in smaller, much more targeted campaigns, utilizing different toolsets. These targeted campaigns have been going on for at least 7 years. The targets and timing of these campaigns appear to align with the known foreign and security policy interests of the Russian Federation at those times. The Dukes rapidly react to research being published about their toolsets and operations. However, the group (or their sponsors) value their operations so highly that though they will attempt to modify their tools to evade detection and regain stealth, they will not cease operations to do so, but will instead incrementally modify their tools while continuing apparently as previously planned. In some of the most extreme cases, the Dukes have been known to engage in campaigns with unaltered versions of tools that only days earlier have been brought to the public’s attention by security companies and actively mentioned in the media. In doing so, the Dukes show unusual confidence in their ability to continue successfully compromising their targets even when their tools have been publicly exposed, as well as in their ability to operate with impunity. 4 THE DUKES Over 7 years of Russian cyberespionage THE STORY OF THE DUKES 2008: Chechnya The earliest activity we have been able to definitively attribute to the Dukes are two PinchDuke campaigns from November 2008. These campaigns use PinchDuke samples that were, according to their compilation timestamps, created on the 5th and 12th of November 2008. The campaign identifiers found in these two samples are respectively, “alkavkaz.com20081105” and “cihaderi. net20081112”. The first campaign identifier, found in the sample compiled on the 5th , references alkavkaz.com, a domain associated with a Turkish website proclaiming to be the “Chechan [sic] Informational Center” (image 1, page 5). The second campaign identifier, from the sample compiled on the 12th , references cihaderi.net, another Turkish website that claims to provide “news from the jihad world” and which dedicates a section of its site to Chechnya. Due to a lack of other PinchDuke samples from 2008 or earlier, we are unable to estimate when the Duke operation originally began. Based on our technical analysis of the known PinchDuke samples from 2008 however, we believe PinchDuke to have been under development by the summer of 2008. In fact, we believe that by the autumn of 2008, the Dukes were already developing not one but at least two distinct malware toolsets. This assertion is based on the oldest currently known sample of another Duke-related toolset, GeminiDuke, which was compiled on the 26th of January 2009. This sample, like the early PinchDuke samples, appears to already be a “fully-grown” sample, which is why we believe GeminiDuke was under development by the autumn of 2008. That the Dukes were already developing and operating at least two distinct malware toolsets by the second half of 2008 suggests to us that either the size of their cyberespionage operation was already large enough to warrant such an arsenal of tools, or that they expected their operation to grow significantly enough in the foreseeable future to warrant the development of such an arsenal. We examine each of the Duke toolsets in greater detail later in the Tools and Techniques section (page 16). The story of the Dukes, as it is currently known, begins with a malware toolset that we call PinchDuke. This toolset consists of multiple loaders and an information-stealer trojan. Importantly, PinchDuke trojan samples always contain a notable text string, which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel. These campaign identifiers, which frequently specify both the date and target of the campaign, provide us with a tantalizing view into the early days of the Dukes. Etymology: a note on names The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term “MiniDuke” to identify the first Duke-related malware they found. As explained in their whitepaper[7] , the researchers observed the surprisingly small MiniDuke backdoor being spread via the same exploit that was being used by a malware that they had already named ItaDuke; the “Duke” part of this malware’s name had in turn come about because it reminded the researchers of the notable Duqu threat. Despite the shared history of the name itself however, it is important to note that there is no reason to believe that the Duke toolsets themselves are in any way related to the ItaDuke malware, or to Duqu for that matter. As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke, the new toolsets were also given “Duke”-derived names, and thus the threat actor operating the toolsets started to be commonly referred to as “the Dukes”. The only other publicly used name for the threat actor that we are aware of is “APT29”[22] . Some exceptions to this naming convention do exist, and in the case of specific Duke toolsets, other commonly used names are listed in the Tools and Techniques section (page 16). ItaDuke Duqu MiniDuke PinchDuke CosmicDuke OnionDuke CozyDuke CloudDuke SeaDuke HammerDuke GeminiDuke “duke” “duke” The Dukes Over 7 years of Russian cyberespionage THE DUKES 5 2009: First known campaigns against the West Based on the campaign identifiers found in PinchDuke samples discovered from 2009, the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda. Campaign identifiers from 2009 also reveal that by that time, the Dukes were already actively interested in political matters related to the United States (US) and the North Atlantic Treaty Organization (NATO), as they ran campaigns targeting (among other organizations) a US-based foreign policy think tank, another set of campaigns related to a NATO exercise held in Europe, and a third set apparently targeting what was then known as the Georgian “Information Centre on NATO”. Of these campaigns, two clusters in particular stand out. The first is a set of campaigns from the 16th and 17th of April, 2009, that targeted a US-based foreign policy think tank, as well as government institutions in Poland and the Czech Republic (image 1, below). These campaigns utilized specially-crafted malicious Microsoft Word documents and PDF files, which were sent as e-mail attachments to various personnel in an attempt to infiltrate the targeted organizations. We believe this cluster of campaigns had a joint goal of gathering intelligence on the sentiments of the targeted countries with respect to the plans being discussed at the time for the US to locate their “European Interceptor Site” missile defense base in Poland, with a related radar station that was intended to be located in the Czech Republic. Regarding the timing of these campaigns, it is curious to note that they began only 11 days after President Barack Obama gave a speech on the 5th of April declaring his intention to proceed with the deployment of these missile defenses [1] . The second notable cluster comprises of two campaigns that were possibly aimed at gathering information on Georgia-NATO relations. The first of these runs used the campaign identifier “natoinfo_ge”, an apparent reference to the www.natoinfo.ge website belonging to a Georgian political body that has since been renamed “Information Centre on NATO and EU”. Although the campaign identifier itself doesn’t contain a date, we believe the campaign to have originated around the 7th of June 2009, which was when the PinchDuke sample in question was compiled. This belief is based on the observation that in all of the other PinchDuke samples we have analyzed, the date of the campaign identifier has been within a day of the compilation date. The second campaign identifier, which we suspect may be related, is “mod_ge_2009_07_03” from a month later and apparently targeting the Ministry of Defense of Georgia. Left - Screenshot of alkavkaz.com [2] (circa 2008, preserved by the Internet Archive Wayback Machine), which was referenced in 2008 PinchDuke sample Below - Decoy document from a 2009 PinchDuke campaign targeting Poland, the Czech Republic and a US think tank. The contents appear to have been copied from a BBC news article [3] IMAGE 1: EARLY ACTIVITY FROM 2008 & 2009 6 THE DUKES Over 7 years of Russian cyberespionage 2010: The emergence of CosmicDuke in the Caucasus The spring of 2010 saw continued PinchDuke campaigns against Turkey and Georgia, but also numerous campaigns against other members of the Commonwealth of Independent States such as Kazakhstan, Kyrgyzstan, Azerbaijan and Uzbekistan. Of these, the campaign with the identifier “kaz_2010_07_30”, which possibly targeted Kazakhstan, is of note because it is the last PinchDuke campaign we have observed. We believe that during the first half of 2010, the Dukes slowly migrated from PinchDuke and started using a new infostealer malware toolset that we call CosmicDuke. The first known sample of the CosmicDuke toolset was compiled on the 16th of January 2010. Back then, CosmicDuke still lacked most of the credential-stealing functionality found in later samples. We believe that during the spring of 2010, the credential and file stealing capabilities of PinchDuke were slowly ported to CosmicDuke, effectively making PinchDuke obsolete. During this period of transition, CosmicDuke would often embed PinchDuke so that, upon execution, CosmicDuke would write to disk and execute PinchDuke. Both PinchDuke and CosmicDuke would then operate independently on the same compromised host, including performing separate information gathering, data exfiltration and communication with a command and control (C&C) server - although both malware would often use the same C&C server. We believe the purpose of this parallel use was to ‘fieldtest’ the new CosmicDuke tool, while at the same time ensuring operational success with the tried-and-tested PinchDuke. During this period of CosmicDuke testing and development, the Duke authors also started experimenting with the use of privilege escalation vulnerabilities. Specifically, on the 19th of January 2010 security researcher Tavis Ormandy disclosed a local privilege escalation vulnerability (CVE-2010-0232) affecting Microsoft Windows. As part of the disclosure, Ormandy also included the source code for a proof-ofconcept exploit for the vulnerability [4] . Just 7 days later, on the 26th of January, a component for CosmicDuke was compiled that exploited the vulnerability and allowed the tool to operate with higher privileges. One loader to load them all (almost) In addition to all the other components being produced by the Dukes group, in 2010 they were also actively developing and testing a new loader - a component that wraps the core malware code and provides an additional layer of obfuscation. The first sample of this loader was compiled on the 26th of July 2010, making it a direct predecessor of what has since become known as the “MiniDuke loader”, as later versions were extensively used by both MiniDuke and CosmicDuke. Some hints about the history of the “MiniDuke loader” were noted in the CosmicDuke whitepaper we published [5] in 2014, where we observed that the loader appeared to have been in use with CosmicDuke before it was used with MiniDuke. In fact, we now know that before being used with either, the “MiniDuke loader” was used to load PinchDuke. The first known sample of the loader was used during the summer of 2010, while the most recent samples were seen during the spring of 2015. This neatly ties together many of the tools used by the Dukes group, as versions of this one loader have been used to load malware from three different Dukes-related toolsets – CosmicDuke, PinchDuke, and MiniDuke – over the course of five years. Over 7 years of Russian cyberespionage THE DUKES 7 2011: John Kasai of Klagenfurt, Austria During 2011, the Dukes appear to have significantly expanded both their arsenal of malware toolsets and their C&C infrastructure. While the Dukes employed both hacked websites and purposely rented servers for their C&C infrastructure, the group rarely registered their own domain names, preferring instead to connect to their selfoperated servers via IP addresses. The beginning of 2011 however saw a significant break from that routine, when a large grouping of domain names was registered by the Dukes in two batches; the first batch was registered on the 29th of January and the second on the 13th of February. All the domains in both batches were initially registered with the same alias: “John Kasai of Klagenfurt, Austria” (image 2, above). These domains were used by the Dukes in campaigns involving many of their different malware toolsets all the way until 2014. Like the “MiniDuke loader”, these “John Kasai” domains also provide a common thread tying together much of the tools and infrastructure of the Dukes. 2011: Continuing expansion of the Dukes arsenal By 2011, the Dukes had already developed at least 3 distinct malware toolsets, including a plethora of supporting components such as loaders and persistence modules. In fact, as a sign of their arsenal’s breadth, they had already decided to retire one of these malware toolsets as obsolete after developing a replacement for it, seemingly from scratch. The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets: MiniDuke and CozyDuke. While all of the earlier toolsets – GeminiDuke, PinchDuke, and CosmicDuke – were designed around a core infostealer component, MiniDuke is centered on a simplistic backdoor component whose purpose is to enable the remote execution of commands on the compromised system. The first observed samples of the MiniDuke backdoor component are from May 2011. This backdoor component however is technically very closely related to GeminiDuke, to the extent that we believe them to share parts of their source code. The origins of MiniDuke can thus be traced back to the origins of GeminiDuke, of which the earliest observed sample was compiled in January of 2009. Unlike the simplistic MiniDuke toolset, CozyDuke is a highly versatile, modular, malware “platform” whose functionality lies not in a single core component but in an array of modules that it may be instructed to download from its C&C server. These modules are used to selectively provide CozyDuke with just the functionality deemed necessary for the mission at hand. CozyDuke’s modular platform approach is a clear break from the designs of the previous Duke toolsets. The stylistic differences between CozyDuke and its older siblings are further exemplified by the way it was coded. All of the 4 previously mentioned toolsets were written in a minimalistic style commonly seen with malware; MiniDuke even goes as far as having many components written in Assembly language. CozyDuke however represents the complete opposite. Instead of being written in Assembly or C, it was written in C++ , which provides added layers of abstraction for the developer’s perusal, at the cost of added complexity. Contrary to what might be expected from malware, early CozyDuke versions also lacked any attempt at obfuscating or hiding their true nature. In fact, they were extremely open and verbose about their functionality - for example, early samples contained a plethora of logging messages in unencrypted form. In comparison, even the earliest known GeminiDuke samples encrypted any strings that might have given away the malware’s true nature. Finally, early CozyDuke versions also featured other elements that one would associate more with a traditional software development project than with malware. For instance, the earliest known CozyDuke version utilized a feature of the Microsoft Visual C++ compiler known as run-time error checking. This feature added automatic error checking to critical parts of the program’s execution at the cost, from a malware perspective, of providing additional hints that make the malware’s functionality easier for reverse engineers to understand. IMAGE 2: COMPARING WHOIS REGISTRATION DETAILS Left - Original whois registration details for natureinhome.com, one of the Duke C&C server domains registered on the 29th of January, 2011 to “John Kasai” Right - Details for the domain were later changed, providing a small glimpse of the Dukes’ sense of humor 8 THE DUKES Over 7 years of Russian cyberespionage Based on these and other similar stylistic differences observed between CozyDuke and its older siblings, we speculate that while the older Duke families appear to be the work of someone with a background in malware writing (or at the least in hacking), CozyDuke’s author or authors more likely came from a software development background. 2012: Hiding in the shadows We still know surprisingly few specifics about the Dukes group’s activities during 2012. Based on samples of Duke malware from 2012, the Dukes do appear to have continued actively using and developing all of their tools. Of these, CosmicDuke and MiniDuke appear to have been in more active use, while receiving only minor updates. GeminiDuke and CozyDuke on the other hand appear to have been less used in actual operations, but did undergo much more significant development. 2013: MiniDuke flies too close to the sun On the 12th of February 2013, FireEye published a blogpost[6] alerting readers to a combination of new Adobe Reader 0-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641, that were being actively exploited in the wild. 8 days after FireEye’s initial alert, Kaspersky spotted the same exploit being used to spread an entirely different malware family from the one mentioned in the original report. On 27th February, Kaspersky[7] and CrySyS[8] Lab published research on this previously unidentified malware family, dubbing it MiniDuke. As we now know, by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years. Their malware had not stayed undetected for those 4 and a half years. In fact, in 2009 a PinchDuke sample had been included in the malware set used by the AV-Test security product testing organization to perform anti-virus product comparison reviews. Until 2013 however, earlier Duke toolsets had not been put in a proper context. That finally started to change in 2013. The MiniDuke samples that were spread using these exploits were compiled on the 20th of February, after the exploit was already publicly known. One might argue that since this took place after the exploits were publicly mentioned, the Dukes simply copied them. We however do not believe so. As mentioned by Kaspersky, even though the exploits used for these MiniDuke campaigns were near-identical to those described by FireEye, there were nevertheless small differences. Of these, the crucial one is the presence of PDB strings in the MiniDuke exploits. These strings, which are generated by the compiler when using specific compilation settings, means that the components of the exploits used with MiniDuke had to have been compiled independently from those described by FireEye. We do not know whether the Dukes compiled the components themselves or whether someone else compiled the components before handing them to the group. This does however still rule out the possibility that the Dukes simply obtained copies of the exploit binaries described by FireEye and repurposed them. In our opinion, this insistence on using exploits that are already under heightened scrutiny suggests the existence of at least one of three circumstances. Firstly, the Dukes may have been confident enough in their own abilities (and in the slowness of their opponents to react to new threats) that they did not care if their targets may already be on the lookout for anyone exploiting these vulnerabilities. Secondly, the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed. Or thirdly, the Dukes may have invested so much into these campaigns that by the time FireEye published their alert, the Dukes felt they could not afford to halt the campaigns. We believe all three circumstances to have coexisted at least to some extent. As will become evident in this report, this was not a one-off case but a recurring theme with the Dukes, in that they would rather continue with their operations as planned than retreat from operating under the spotlight. IMAGE 3: MINIDUKE DECOY One of the Ukraine-themed decoy documents used during a MiniDuke campaign in February 2013 Over 7 years of Russian cyberespionage THE DUKES 9 As originally detailed in Kaspersky’s whitepaper, the MiniDuke campaigns from February 2013 employed spear-phishing emails with malicious PDF file attachments. These PDFs would attempt to silently infect the recipient with MiniDuke, while distracting them by displaying a decoy document. The headings of these documents included “Ukraine’s NATO Membership Action Plan (MAP) Debates”, “The Informal Asia-Europe Meeting (ASEM) Seminar on Human Rights”, and “Ukraine’s Search for a Regional Foreign Policy” (image 3, page 8). The targets of these campaigns, according to Kaspersky, were located variously in Belgium, Hungary, Luxembourg and Spain[7] . Kaspersky goes on to state that by obtaining log files from the MiniDuke command and control servers, they were able to identify high-profile victims from Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, the United States and Hungary[7] . 2013: The curious case of OnionDuke After the February campaigns, MiniDuke activity appeared to quiet down, although it did not fully stop, for the rest of 2013. The Dukes group as a whole however showed no sign of slowing down. In fact, we saw yet another Duke malware toolset, OnionDuke, appear first in 2013. Like CozyDuke, OnionDuke appears to have been designed with versatility in mind, and takes a similarly modular platform approach. The OnionDuke toolset includes various modules for purposes such as password stealing, information gathering, denial of service (DoS) attacks, and even posting spam to the Russian social media network, VKontakte. The OnionDuke toolset also includes a dropper, an information stealer variant and multiple distinct versions of the core component that is responsible for interacting with the various modules. What makes OnionDuke especially curious is an infection vector it began using during the summer of 2013. To spread the toolset, the Dukes used a wrapper to combine OnionDuke with legitimate applications, created torrent files containing these trojanized applications, then uploaded them to websites hosting torrent files (image 4, above). Victims who used the torrent files to download the applications would end up getting infected with OnionDuke. For most of the OnionDuke components we observed, the first versions that we are aware of were compiled during the summer of 2013, suggesting that this was a period of active development around this toolset. Critically however, the first sample of the OnionDuke dropper, which we have observed being used only with components of this toolset, was compiled on the 17th of February 2013. This is significant because it suggests that OnionDuke was under development before any part of the Duke operation became public. OnionDuke’s development therefore could not have been simply a response to the outing of one of the other Duke malware, but was instead intended for use alongside the other toolsets. This indication that the Dukes planned to use an arsenal of 5 malware toolsets in parallel suggests that they were operating with both significant resources and capacity. 2013: The Dukes and Ukraine In 2013, many of the decoy documents employed by the Dukes in their campaigns were related to Ukraine; examples include a letter undersigned by the First Deputy Minister for Foreign Affairs of Ukraine, a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of Foreign affairs and a document titled “Ukraine’s Search for a Regional Foreign Policy”. [9] These decoy documents however were written before the start of the November 2013 Euromaidan protests in Ukraine and the subsequent upheaval. It is therefore important to note that, contrary to what might be assumed, we have actually observed a drop instead of an increase in Ukraine-related campaigns from the Dukes following the country’s political crisis. This is in stark contrast to some other suspected Russian threat actors (such as Operation Pawn Storm[10] ) who appear to have increased their targeting of Ukraine following the crisis. This supports our analysis that the overarching theme in the Dukes’ targeting is the collection of intelligence to support diplomatic efforts. The Dukes actively targeted Ukraine before the crisis, at a time when Russia was still weighing her options, but once Russia moved from diplomacy to direct action, Ukraine was no longer relevant to the Dukes in the same way. IMAGE 4: ONIONDUKE-TROJANIZED TORRENT FILE Example of a torrent file containing an executable trojanized with the OnionDuke toolset 10 THE DUKES Over 7 years of Russian cyberespionage 2013: CosmicDuke’s war on drugs In a surprising turn of events, in September 2013 a CosmicDuke campaign was observed targeting Russian speakers involved in the trade of illegal and controlled substances (image 5, above). Kaspersky Labs, who sometimes refer to CosmicDuke as ‘Bot Gen Studio’, speculated that “one possibility is that ‘Bot Gen Studio’ is a malware platform also available as a so-called ‘legal spyware’ tool”; therefore, those using CosmicDuke to target drug dealers and those targeting governments are two separate entities[11] . We however feel it is unlikely that the CosmicDuke operators targeting drug dealers and those targeting governments could be two entirely independent entities. A shared supplier of malware would explain the overlap in tools, but it would not explain the significant overlap we have also observed in operational techniques related to command and control infrastructure. Instead, we feel the targeting of drug dealers was a new task for a subset of the Dukes group, possibly due to the drug trade’s relevance to security policy issues. We also believe the tasking to have been temporary, because we have not observed any further similar targeting from the Dukes after the spring of 2014. 2014: MiniDuke’s rise from the ashes While MiniDuke activity decreased significantly during the rest of 2013 following the attention it garnered from researchers, the beginning of 2014 saw the toolset back in full force. All MiniDuke components, from the loader and downloader to the backdoor, had been slightly updated and modified during the downtime. Interestingly, the nature of these modifications suggests that their primary purpose was to regain the element of stealth and undetectability that had been lost almost a year earlier. Of these modifications, arguably the most important were the ones done to the loader. These resulted in a loader version that would later become known as the “Nemesis Gemina loader” due to PDB strings found in many of the samples. It is however still only an iteration on earlier versions of the MiniDuke loader. The first observed samples of the Nemesis Gemina loader (compiled on 14th December 2013) were used to load the updated MiniDuke backdoor, but by the spring of 2014 the Nemesis Gemina loader was also observed in use with CosmicDuke. 2014: CosmicDuke’s moment of fame and the scramble that ensued Following the MiniDuke expose, CosmicDuke in turn got its moment of fame when F-Secure published a whitepaper about it on 2nd July 2014 [5] . The next day, Kaspersky also published their own research on the malware[11] . It should be noted that until this point, even though CosmicDuke had been in active use for over 4 years, and had undergone minor modifications and updates during that time, even the most recent CosmicDuke samples would often embed persistence components that date back to 2012. These samples would also contain artefacts of functionality from the earliest CosmicDuke samples from 2010. It is therefore valuable to observe how the Dukes reacted to CosmicDuke’s outing at the beginning of July. By the end of that month, CosmicDuke samples we found that had been compiled on the 30th of July had shed unused parts of their code that had essentially just been relics of the past. Similarly, some of the hardcoded values that had remained unaltered in CosmicDuke samples for many years had been changed. We believe these edits were an attempt at evading detection by modifying or removing parts of the toolset that the authors believed might be helpful in identifying and detecting it. Concurrently with the alterations to CosmicDuke, the Dukes were also hard at work modifying their trusted loader. Much like the CosmicDuke toolset, the loader used by both MiniDuke and CosmicDuke had previously only undergone one major update (the Nemesis Gemina upgrade) since the first known samples from 2010. Again, much of the modification work focused on removing redundant code in an attempt to appear different from earlier versions of the loader. Interestingly however, another apparent evasion trick was also attempted forging of the loaders’ compilation timestamps. IMAGE 5: COSMICDUKE DECOY Screenshot of a decoy document appearing to be an order for growth hormones, which was used in a CosmicDuke campaign in September 2013 Over 7 years of Russian cyberespionage THE DUKES 11 The first CosmicDuke sample we observed after the initial research on CosmicDuke was a sample compiled on the 30th of July 2014. The loader used by the sample purported to have been compiled on the 25th of March 2010. Due to artefacts left in the loader during compilation time however, we know that it used a specific version of the Boost library, 1.54.0, that was only published on the 1st of July 2013[12] . The compilation timestamp therefore had to have been faked. F-Secure’s whitepaper[5] on CosmicDuke includes a timeline of the loader’s usage, based on compilation timestamps. Perhaps the Dukes group thought that by faking a timestamp from before the earliest one cited in the whitepaper, they might be able to confuse researchers. During the rest of 2014 and the spring of 2015, the Dukes continued making similar evasion-focused modifications to CosmicDuke, as well as experimenting with ways to obfuscate the loader. In the latter case however, the group appear to have also simultaneously developed an entirely new loader, which we first observed being used in conjunction with CosmicDuke during the spring of 2015. While it is not surprising that the Dukes reacted to multiple companies publishing extensive reports on one of their key toolsets, it is valuable to note the manner in which they responded. Much like the MiniDuke expose in February 2013, the Dukes again appeared to prioritize continuing operations over staying hidden. They could have ceased all use of CosmicDuke (at least until they had developed a new loader) or retired it entirely, since they still had other toolsets available. Instead, they opted for minimal downtime and attempted to continue operations, with only minor modifications to the toolset. 2014: CozyDuke and monkey videos While we now know that CozyDuke had been under development since at least the end of 2011, it was not until the early days of July 2014 that the first large-scale CozyDuke campaign that we are aware of took place. This campaign, like later CozyDuke campaigns, began with spear-phishing emails that tried to impersonate commonly seen spam emails. These spear-phishing emails would contain links that eventually lead the victim to becoming infected with CozyDuke. Some of the CozyDuke spear-phishing emails from early July posed as e-fax arrival notifications, a popular theme for spam emails, and used the same “US letter fax test page” decoy document that was used a year later by CloudDuke. In at least one case however, the email instead contained a link to a zip-archive file named “Office Monkeys LOL Video.zip”, which was hosted on the DropBox cloud storage service. What made this particular case interesting was that instead of the usual dull PDF file, the decoy was a Flash video file, more specifically a Super Bowl advertisement from 2007 purporting to show monkeys at an office (image 6, above). 2014: OnionDuke gets caught using a malicious Tor node On the 23rd of October 2014, Leviathan Security Group published a blog post describing a malicious Tor exit node they had found. They noted that this node appeared to be maliciously modifying any executables that were downloaded through it over a HTTP connection. Executing the modified applications obtained this way would result in the victim being infected with unidentified malware. On the 14th of November, F-Secure published a blog post naming the malware OnionDuke and associating it with MiniDuke and CosmicDuke, the other Duke toolsets known at the time [13] . Based on our investigations into OnionDuke, we believe that for about 7 months, from April 2014 to when Leviathan published their blog post in October 2014, the Tor exit node identified by the researchers was being used to wrap executables on-the-fly with OnionDuke (image 7, page 13). This is similar to the way in which the toolset was being spread via trojanized applications in torrent files during the summer of 2013. While investigating the OnionDuke variant being spread by the malicious Tor node, we also identified another OnionDuke variant that appeared to have successfully compromised multiple victims in the ministry of foreign affairs of an Eastern European country during the spring of 2014. This variant differed significantly in functionality from the one being spread via the Tor node, further suggesting that different OnionDuke variants are intended for different kinds of victims. IMAGE 6: COZYDUKE DECOYS Left - US letter fax test decoy used in CozyDuke campaigns Right - Screenshot of the monkey video decoy also used by CozyDuke 12 THE DUKES Over 7 years of Russian cyberespionage We believe that, unusually, the purpose of the OnionDuke variant spread via the Tor node was not to pursue targeted attacks but instead to form a small botnet for later use. This OnionDuke variant is related to the one seen during the summer of 2013 being spread via torrent files. Both of these infection vectors are highly indiscriminate and untargeted when compared to spear-phishing, the usual infection vector of choice for the Dukes. Further, the functionality of the OnionDuke variant is derived from a number of modules. While one of these modules gathers system information and another attempts to steal the victim’s usernames and passwords, as one would expect from a malware used for a targeted attack, the other two known OnionDuke modules are quite the opposite; one is designed for use in DoS attacks and the other for posting predetermined messages to the Russian VKontakte social media site. This sort of functionality is more common in criminality-oriented botnets, not state-sponsored targeted attacks. We have since been able to identify at least two separate OnionDuke botnets. We believe the formation of the first of these botnets began in January 2014, using both unidentified infection vectors and the known malicious Tor node, and continued until our blogpost was published in November. We believe the formation of the second botnet began in August 2014 and continued until January 2015. We have been unable to identify the infection vectors used for this second botnet, but the C&C servers it used had open directory listings, allowing us to retrieve files containing listings of victim IP addresses. The geographic distribution of these IP addresses (image 8, page 13) further supports our theory that the purpose of this OnionDuke variant was not targeted attacks against high-profile targets. One theory is that the botnets were a criminal side business for the Dukes group. The size of the botnet however (about 1400 bots) is very small if its intended use is for commercial DoS attacks or spam-sending. Alternatively, OnionDuke also steals user credentials from its victims, providing another potential revenue source. The counter to that argument however is that the value of stolen credentials from users in the countries with the highest percentage of OnionDuke bots (Mongolia and India) are among the lowest on underground markets. 2015: The Dukes up the ante The end of January 2015 saw the start of the most highvolume Duke campaign seen thus far, with thousands of recipients being sent spear-phishing emails that contained links to compromised websites hosting CozyDuke. Curiously, the spear-phishing emails were strikingly similar to the e-fax themed spam usually seen spreading ransomware and other common crimeware. Due to the sheer number of recipients, it may not have been possible to customize the emails in the same way as was possible with lower-volume campaigns. The similarity to common spam may however also serve a more devious purpose. It is easy to imagine a security analyst, burdened by the amount of attacks against their network, dismissing such common-looking spam as “just another crimeware spam run”, allowing the campaign to, in essence, hide in the masses[14] . The CozyDuke activity continues one of the long-running trends of the Dukes operations, the use of multiple malware toolsets against a single target. In this case, the Dukes first attempted to infect large numbers of potential targets with CozyDuke (and in a more obvious manner than previously seen). They would then use the toolset to gather initial information on the victims, before deciding which ones to pursue further. For the victims deemed interesting enough, the Dukes would then deploy a different toolset. We believe the primary purpose of this tactic is an attempt at evading detection in the targeted network. Even if the noisy initial CozyDuke campaign is noticed by the victim organization, or by someone else who then makes it publicly known, defenders will begin by first looking for indicators of compromise (IOCs) related to the CozyDuke toolset. If however by that time the Dukes are already operating within the victim’s network, using an another toolset with different IOCs, then it is reasonable to assume that it will take much longer for the victim organization to notice the infiltration. In previous cases, the group used their malware toolsets interchangeably, as either the initial or a later-stage toolset in a campaign. For these CozyDuke campaigns however, the Dukes appear to have employed two particular later-stage toolsets, SeaDuke and HammerDuke, that were purposely designed to leave a persistent backdoor on the compromised network. HammerDuke is a set of backdoors that was first seen in the wild in February 2015, while SeaDuke is a crossplatform backdoor that was, according to Symantec, first spotted in the wild in October 2014 [15] . Both toolsets were originally spotted being deployed by CozyDuke to its victims. What makes SeaDuke special is that it was written in Python and designed to work on both Windows and Linux systems; it is the first cross-platform tool we have seen from the Dukes. One plausible reason for developing such a flexible malware might be that the group were increasingly encountering victim environments where users were using Linux as their desktop operating system. Meanwhile, HammerDuke is a Windows-only malware (written in .NET) and comes in two variants. The simpler one will connect to a hardcoded C&C server over HTTP or HTTPS to download commands to execute. The more advanced variant, on the other hand, will use an algorithm to generate a periodically-changing Twitter account name and will then attempt to find tweets from that Over 7 years of Russian cyberespionage THE DUKES 13 457417+19+23+21 284 21% MONGOLIA 326 23%INDIA 260 19% OTHER 235 17% UNKNOWN 100 7% PAKISTAN 64 5% ALGERIA 58 4% MOROCCO 62 4% EGYPT, 43 TURKEY, 38 USA, 39 INDONESIA, 34 SAUDI ARABIA, 25 BRAZIL, 22 PHILIPPINES, 16 SRI LANKA, 15 BANGLADESH, 14 NEPAL, 13 CAMBODIA, 13 CHINA, 12 3% EACH 2% EACH 1% EACH IMAGE 8: GEOGRAPHICAL DISTRIBUTION OF ONIONDUKE BOTNET TOTAL: 1389 ONIONDUKE DROPPER ONIONDUKE CORE COMPONENT ONIONDUKE DROPPER ONIONDUKE CORE COMPONENT ONIONDUKE CORE COMPONENT Drops Drops Drops Original binary Original binary Original binary Executes MALICIOUS TOR EXIT NODE VICTIM Request ResponseWrapped binary IMAGE 7: FLOWCHART OF HOW ONIONDUKE USES MALICIOUS TOR NODE TO INFECT VICTIMS THE DUKES Over 7 years of Russian cyberespionage 14 account containing links to the actual download location of the commands to execute. In this way, the advanced HammerDuke variant attempts to hide its network traffic in more legitimate use of Twitter. This method is not unique to HammerDuke, as MiniDuke, OnionDuke, and CozyDuke all support similar use of Twitter (image 9, above) to retrieve links to additional payloads or commands. 2015: CloudDuke In the beginning of July 2015, the Dukes embarked on yet another large-scale phishing campaign. The malware toolset used for this campaign was the previously unseen CloudDuke and we believe that the July campaign marks the first time that this toolset was deployed by the Dukes, other than possible small-scale testing. The CloudDuke toolset consists of at least a loader, a downloader, and two backdoor variants. Both backdoors (internally referred to by their authors as “BastionSolution” and “OneDriveSolution”) essentially allow the operator to remotely execute commands on the compromised machine. The way in which each backdoor does so however is significantly different. While the BastionSolution variant simply retrieves commands from a hard-coded C&C server controlled by the Dukes, the OneDriveSolution utilizes Microsoft’s OneDrive cloud storage service for communicating with its masters, making it significantly harder for defenders to notice the traffic and block the communication channel. What is most significant about the July 2015 CloudDuke campaign is the timeline. The campaign appeared to consist of two distinct waves of spear-phishing, one during the first days of July and the other starting from the 20th of the month. Details of the first wave, including a thorough technical analysis of CloudDuke, was published by Palo Alto Networks on 14th July [16] . This was followed by additional details from Kaspersky in a blog post published on 16th July [17] . Both publications happened before the second wave took place and received notable publicity. Despite the attention and public exposure of the toolset’s technical details (including IOCs) to defenders, the Dukes still continued with their second wave of spear-phishing, including the continued use of CloudDuke. The group did change the contents of the spear-phishing emails they sent, but they didn’t switch to a new email format; instead, they reverted to the same efax-themed format that they had previously employed, even to the point of reusing the exact same decoy document that they had used in the CozyDuke campaign a year earlier (July 2014). This once more highlights two crucial behavioral elements of the Dukes group. Firstly, as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014, again the group clearly prioritized the continuation of their operations over maintaining stealth. Secondly, it underlines their boldness, arrogance and self-confidence; they are clearly confident in both their ability to compromise their targets even when their tools and techniques are already publicly known, and critically, they appear to be extremely confident in their ability to act with impunity. 2015: Continuing surgical strikes with CosmicDuke In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke, the Dukes also continued to engage in more covert, surgical campaigns using CosmicDuke. The latest of these campaigns that we are aware of occurred during the spring and early summer of 2015. As their infection vectors, these campaigns used malicious documents exploiting recently fixed vulnerabilities. Two of these campaigns were detailed in separate blog posts by the Polish security company Prevenity, who said that both campaigns targeted Polish entities with spearphishing emails containing malicious attachments with relevant Polish language names [18] [19] . A third, similar, CosmicDuke campaign was observed presumably targeting Georgian entities since it used an attachment with a Georgian-language name that translates to “NATO consolidates control of the Black Sea.docx”. Based on this, we do not believe that the Dukes are replacing their covert and targeted campaigns with the overt and opportunistic CozyDuke and CloudDuke style of campaigns. Instead, we believe that they are simply expanding their activities by adding new tools and techniques. IMAGE 9: ONIONDUKE C&C TWEET Screenshot of a tweet intended for OnionDuke, with a link pointing to an image file that embeds an updated version of OnionDuke Over 7 years of Russian cyberespionage THE DUKES 15 2008 2009 2010 2011 2012 2013 2014 2015 PinchDuke GeminiDuke CosmicDuke MiniDuke Loader Backdoor CozyDuke OnionDuke SeaDuke HammerDuke CloudDuke IMAGE 10: TIMELINE OF KNOWN ACTIVITY FOR THE VARIOUS DUKE TOOLKITS 2007 TOOLKITS YEAR First known activity Most recent known activity LEGEND 16 THE DUKES Over 7 years of Russian cyberespionage As a curiosity, most PinchDuke samples contain a Russian language error message: “Ошибка названия модуля! Название секции данных должно быть 4 байта!” Which roughly translates to: “There is an error in the module’s name! The length of the data section name must be 4 bytes!” First known activity: November 2008 Most recent known activity: Summer 2010 Other names: N/A C&C communication methods: HTTP (S) Known toolset components: ◊ Multiple loaders ◊ Information stealer The PinchDuke toolset consists of multiple loaders and a core information stealer trojan. The loaders associated with the PinchDuke toolset have also been observed being used with CosmicDuke. The PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. We believe PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums. Credentials targeted by PinchDuke include ones associated with the following software or services: •• The Bat! •• Yahoo! •• Mail.ru •• Passport.Net •• Google Talk •• Netscape Navigator •• Mozilla Firefox •• Mozilla Thunderbird •• Internet Explorer •• Microsoft Outlook •• WinInet Credential Cache •• Lightweight Directory Access Protocol (LDAP) PinchDuke will also search for files that have been created within a predefined timeframe and whose file extension is present in a predefined list. TOOLS AND TECHNIQUES OF THE DUKES PINCHDUKE 17 Over 7 years of Russian cyberespionage THE DUKES First known activity: January 2009 Most recent known activity: December 2012 Other names: N/A C&C communication methods: HTTP (S) Known toolset components: ◊ Loader ◊ Information stealer ◊ Multiple persistence components The GeminiDuke toolset consists of a core information stealer, a loader and multiple persistence-related components. Unlike CosmicDuke and PinchDuke, GeminiDuke primarily collects information on the victim computer’s configuration. The collected details include: •• Local user accounts •• Network settings •• Internet proxy settings •• Installed drivers •• Running processes •• Programs previously executed by users •• Programs and services configured to automatically run at startup •• Values of environment variables •• Files and folders present in any users home folder •• Files and folders present in any users My Documents •• Programs installed to the Program Files folder •• Recently accessed files, folders and programs As is common for malware, the GeminiDuke infostealer uses a mutex to ensure that only one instance of itself is running at a time. What is less common is that the name used for the mutex is often a timestamp. We believe these timestamps to be generated during the compilation of GeminiDuke from the local time of the computer being used. Comparing the GeminiDuke compilation timestamps, which always reference the time in the UTC+0 timezone, with the local time timestamps used as mutex names, and adjusting for the presumed timezone difference, we note that all of the mutex names reference a time and date that is within seconds of the respective sample’s compilation timestamp. Additionally, the apparent timezone of the timestamps in all of the GeminiDuke samples compiled during the winter is UTC+3, while for samples compiled during the summer, it is UTC+4. The observed timezones correspond to the pre-2011 definition of Moscow Standard Time (MSK)[20] , which was UTC+3 during the winter and UTC+4 during the summer. In 2011 MSK stopped following Daylight Saving Time (DST) and was set to UTC+4 year-round, then reset to UTC +3 year-round in 2014. Some of the observed GeminiDuke samples that used timestamps as mutex names were compiled while MSK still respected DST and for these samples, the timestamps perfectly align with MSK as it was defined at the time. However, GeminiDuke samples compiled after MSK was altered still vary the timezone between UTC+3 in the winter and UTC+4 during the summer. While computers using Microsoft Windows automatically adjust for DST, changes in timezone definitions require that an update to Windows be installed. We therefore believe that the Dukes group simply failed to update the computer they were using to compile GeminiDuke samples, so that the timestamps seen in later samples still appear to follow the old definition of Moscow Standard Time. The GeminiDuke infostealer has occasionally been wrapped with a loader that appears to be unique to GeminiDuke and has never been observed being used with any of the other Duke toolsets. GeminiDuke also occasionally embeds additional executables that attempt to achieve persistence on the victim computer. These persistence components appear to be uniquely customized for use with GeminiDuke, but they use many of the same techniques as CosmicDuke persistence components. Map of timezones in Russia; © Eric Muller [23] Pink: MSK (UTC +3) ; Orange: UTC +4 Moscow GEMINIDUKE 18 THE DUKES Over 7 years of Russian cyberespionage First known activity: January 2010 Most recent known activity: Summer 2015 Other names: Tinybaron, BotgenStudios, NemesisGemina C&C communication methods: HTTP (S), FTP, WebDav Known toolset components: ◊ Information stealer ◊ Multiple loaders ◊ Privilege escalation component ◊ Multiple persistence components The CosmicDuke toolset is designed around a main information stealer component. This information stealer is augmented by a variety of components that the toolset operators may selectively include with the main component to provide additional functionalities, such as multiple methods of establishing persistence, as well as modules that attempt to exploit privilege escalation vulnerabilities in order to execute CosmicDuke with higher privileges. CosmicDuke’s information stealing functionality includes: •• Keylogging •• Taking screenshots •• Stealing clipboard contents •• Stealing user files with file extensions that match a predefined list •• Exporting the users cryptographic certificates including private keys •• Collecting user credentials, including passwords, for a variety of popular chat and email programs as well as from web browsers CosmicDuke may use HTTP, HTTPS, FTP or WebDav to exfiltrate the collected data to a hardcoded C&C server. While we believe CosmicDuke to be an entirely customwritten toolset with no direct sharing of code with other Duke toolsets, the high-level ways in which many of its features have been implemented appear to be shared with other members of the Duke arsenal. Specifically, the techniques CosmicDuke uses to extract user credentials from targeted software and to detect the presence of analysis tools appear to be based on the techniques used by PinchDuke. Likewise, many of CosmicDuke’s persistence components use techniques also used by components associated with GeminiDuke and CozyDuke. In all of these cases, the techniques are the same, but the code itself has been altered to work with the toolset in question, leading to small differences in the final implementation. A few of the CosmicDuke samples we discovered also included components that attempt to exploit either of the publicly known CVE-2010-0232 or CVE-2010- 4398 privilege escalation vulnerabilities. In the case of CVE-2010-0232, the exploit appears to be based directly on the proof of concept code published by security researcher Tavis Ormandy when he disclosed the vulnerability [4] . We believe that the exploit for CVE- 2010-4398 was also based on a publicly available proof of concept [21] . In addition to often embedding persistence or privilege escalation components, CosmicDuke has occasionally embedded PinchDuke, GeminiDuke, or MiniDuke components. It should be noted that CosmicDuke does not interoperate with the second, embedded malware in any way other than by writing the malware to disk and executing it. After that, CosmicDuke and the second malware operate entirely independently of each other, including separately contacting their C&C servers. Sometimes, both malware have used the same C&C server, but in other cases, even the servers have been different. Finally, it is worth noting that while most of the compilation timestamps for CosmicDuke samples appear to be authentic, we are aware of a few cases of them being forged. One such case was detailed on page 10 as an apparent evasion attempt. Another is a loader variant seen during the spring of 2010 in conjunction with both CosmicDuke and PinchDuke. These loader samples all had compilation timestamps purporting to be from the 24th or the 25th of September, 2001. However, many of these loader samples embed CosmicDuke variants that exploit the CVE-2010- 0232 privilege escalation vulnerability thus making it impossible for the compilation timestamps to be authentic. Further reading 1. Timo Hirvonen; F-Secure Labs; CosmicDuke: Cosmu with a Twist of MiniDuke; published 2 July 2014; https://www.f-secure.com/ documents/996508/1030745/cosmicduke_ whitepaper.pdf 2. GReAT; Securelist; Miniduke is back: Nemesis Gemina and the Botgen Studio; published 3 July 2014; https://securelist.com/blog/ incidents/64107/miniduke-is-back-nemesis- gemina-and-the-botgen-studio/ COSMICDUKE 19 Over 7 years of Russian cyberespionage THE DUKES First known activity:  Loader July 2010  Backdoor May 2011 Most recent known activity:  Loader Spring 2015  Backdoor Summer 2014 Other names: N/A C&C communication methods: HTTP (S), Twitter Known toolset components: ◊ Downloader ◊ Backdoor ◊ Loader The MiniDuke toolset consists of multiple downloader and backdoor components, which are commonly referred to as the MiniDuke “stage 1”, “stage 2”, and “stage 3” components as per Kaspersky’s original MiniDuke whitepaper. Additionally, a specific loader is often associated with the MiniDuke toolset and is referred to as the “MiniDuke loader”. While the loader has often been used together with other MiniDuke components, it has also commonly been used in conjunction with CosmicDuke and PinchDuke. In fact, the oldest samples of the loader that we have found were used with PinchDuke. To avoid confusion however, we have decided to continue referring to the loader as the “MiniDuke loader”. Two details about MiniDuke components are worth noting. Firstly, some of the MiniDuke components were written in Assembly language. While many malware were written in Assembly during the ‘old days‘ of curiosity-driven virus writing, it has since become a rarity. Secondly, some of the MiniDuke components do not contain a hardcoded C&C server address, but instead obtain the address of a current C&C server via Twitter. The use of Twitter either to initially obtain the address of a C&C server (or as a backup if no hardcoded primary C&C server responds) is a feature also found in OnionDuke, CozyDuke, and HammerDuke. Further reading 1. Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk; Kaspersky Lab; The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor; published 27 February 2013; http:// kasperskycontenthub.com/wp-content/ uploads/sites/43/vlpdfs/themysteryofthepdf0- dayassemblermicrobackdoor.pdf 2. CrySyS Blog; Miniduke; published 27 February 2013; http://blog.crysys.hu/2013/02/miniduke/ 3. Marius Tivadar, Bíró Balázs, Cristian Istrate; BitDefender; A Closer Look at MiniDuke; published April 2013; http://labs.bitdefender. com/wp-content/uploads/downloads/2013/04/ MiniDuke_Paper_Final.pdf 4. CIRCL - Computer Incident Response Center Luxembourg; Analysis Report (TLP:WHITE) Analysis of a stage 3 Miniduke sample; published 30 May 2013; https://www.circl.lu/files/tr-14/ circl-analysisreport-miniduke-stage3-public.pdf 5. ESET WeLiveSecurity blog; Miniduke still duking it out; published 20 May 2014; http://www. welivesecurity.com/2014/05/20/miniduke-still- duking/ MINIDUKE 20 THE DUKES Over 7 years of Russian cyberespionage First known activity: January 2010 Most recent known activity: Spring 2015 Other names: CozyBear, CozyCar, Cozer, EuroAPT C&C communication methods: HTTP (S), Twitter (backup) Known toolset components: ◊ Dropper ◊ Modular backdoor ◊ Multiple persistence components ◊ Information gathering module ◊ Screenshot module ◊ Password stealing module ◊ Password hash stealing module CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around a core backdoor component. This component can be instructed by the C&C server to download and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array of functionality. Known CozyDuke modules include: •• Command execution module for executing arbitrary Windows Command Prompt commands •• Password stealer module •• NT LAN Manager (NTLM) hash stealer module •• System information gathering module •• Screenshot module In addition to modules, CozyDuke can also be instructed to download and execute other, independent executables. In some observed cases, these executables were self-extracting archive files containing common hacking tools, such as PSExec and Mimikatz, combined with script files that execute these tools. In other cases, CozyDuke has been observed downloading and executing tools from other toolsets used by the Dukes such as OnionDuke, SeaDuke, and HammerDuke. EXAMPLES OF COZYDUKE PDB STRINGS •• E:\Visual Studio 2010\Projects\Agent_NextGen\Agent2011v3\Agent2011\Agent\tasks\bin\ GetPasswords\exe\GetPasswords.pdb •• D:\Projects\Agent2011\Agent2011\Agent\tasks\bin\systeminfo\exe\systeminfo.pdb •• \\192.168.56.101\true\soft\Agent\tasks\Screenshots\agent_screeshots\Release\agent_ screeshots.pdb Further reading 1. Artturi Lehtio; F-Secure Labs; CozyDuke; published 22 April 2015; https://www.f-secure. com/documents/996508/ 1030745/CozyDuke (PDF) 2. Kurt Baumgartner, Costin Raiu; Securelist; The CozyDuke APT; 21 April 2015; https://securelist. com/blog/research/69731/the-cozyduke-apt/ COZYDUKE 21 Over 7 years of Russian cyberespionage THE DUKES First known activity: February 2013 Most recent known activity: Spring 2015 Other names: N/A C&C communication methods: HTTP (S), Twitter (backup) Known toolset components: ◊ Dropper ◊ Loader ◊ Multiple modular core components ◊ Information stealer ◊ Distributed Denial of Service (DDoS) module ◊ Password stealing module ◊ Information gathering module ◊ Social network spamming module The OnionDuke toolset includes at least a dropper, a loader, an information stealer trojan and multiple modular variants with associated modules. OnionDuke first caught our attention because it was being spread via a malicious Tor exit node. The Tor node would intercept any unencrypted executable files being downloaded and modify those executables by adding a malicious wrapper contained an embedded OnionDuke. Once the victim finished downloading the file and executed it, the wrapper would infect the victim’s computer with OnionDuke before executing the original legitimate executable. The same wrapper has also been used to wrap legitimate executable files, which were then made available for users to download from torrent sites. Again, if a victim downloaded a torrent containing a wrapped executable, they would get infected with OnionDuke. Finally, we have also observed victims being infected with OnionDuke after they were already infected with CozyDuke. In these cases, CozyDuke was instructed by its C&C server to download and execute OnionDuke toolset. Further reading 1. Artturi Lehtio; F-Secure Weblog; OnionDuke: APT Attacks Via the Tor Network; published 14 November 2014; https://www.f-secure.com/ weblog/archives/00002764.html ONIONDUKE 22 THE DUKES Over 7 years of Russian cyberespionage First known activity: October 2014 Most recent known activity: Spring 2015 Other names: SeaDaddy, SeaDask C&C communication methods: HTTP (S) Known toolset components: ◊ Backdoor SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server, such as uploading and downloading files, executing system commands and evaluating additional Python code. SeaDuke is made interesting by the fact that it is written in Python and designed to be cross-platform so that it works on both Windows and Linux. The only known infection vector for SeaDuke is via an existing CozyDuke infection, wherein CozyDuke downloads and executes the SeaDuke toolset. Like HammerDuke, SeaDuke appears to be used by the Dukes group primarily as a secondary backdoor left on CozyDuke victims after that toolset has completed the initial infection and stolen any readily available information from them. Further reading 1. Symantec Security Response; “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory; published 13 July 2015; http://www.symantec.com/connect/blogs/ forkmeiamfamous-seaduke-latest-weapon- duke-armory 2. Josh Grunzweig; Palo Alto Networks; Unit 42 Technical Analysis: Seaduke; published 14 July 2015; http://researchcenter.paloaltonetworks. com/2015/07/unit-42-technical-analysis- seaduke/ 3. Artturi Lehtio; F-Secure Weblog; Duke APT group’s latest tools: cloud services and Linux support; published 22 July 2015; https://www.f- secure.com/weblog/archives/00002822.html EXAMPLE OF CROSS-PLATFORM SUPPORT FOUND IN SEADUKE'S SOURCE CODE SEADUKE 23 Over 7 years of Russian cyberespionage THE DUKES First known activity: January 2015 Most recent known activity: Summer 2015 Other names: HAMMERTOSS, Netduke C&C communication methods: HTTP (S), Twitter Known toolset components: ◊ Backdoor HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke. Specifically, the only known infection vector for HammerDuke is to be downloaded and executed by CozyDuke onto a victim that has already been compromised by that toolset. This, together with HammerDuke’s simplistic backdoor functionality, suggests that it is primarily used by the Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the initial infection and stole any readily available information from them. HammerDuke is however interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute. HammerDuke’s use of Twitter and crafted image files is reminiscent of other Duke toolsets. Both OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names and then searched for any tweets from those accounts that linked to image files. In contrast however, for OnionDuke and MiniDuke the linked image files contain embedded malware to be downloaded and executed, rather than instructions. Similarly, GeminiDuke may also download image files, but these would contain embedded additional configuration information for the toolset itself. Unlike HammerDuke however, the URLs for the images downloaded by GeminiDuke are hardcoded in its initial configuration, rather than retrieved from Twitter. Further reading 1. FireEye; HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group; published July 2015; https://www2.fireeye.com/rs/848-DID-242/ images/rpt-apt29-hammertoss.pdf * *APT29 is the name used by FireEye to identify the cyberespionagegroup we refer to as the Dukes. HAMMERDUKE 24 THE DUKES Over 7 years of Russian cyberespionage First known activity: June 2015 Most recent known activity: Summer 2015 Other names: MiniDionis, CloudLook C&C communication methods: HTTP (S), Microsoft OneDrive Known toolset components: ◊ Downloader ◊ Loader ◊ Two backdoor variants CloudDuke is a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators. Further reading 1. Artturi Lehtio; F-Secure Weblog; Duke APT group’s latest tools: cloud services and Linux support; published 22 July 2015; https://www.f-secure. com/weblog/archives/00002822.html 2. Brandon Levene, Robert Falcone and Richard Wartell; Palo Alto Networks; Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke; published 14 July 2015; http://researchcenter. paloaltonetworks.com/2015/07/tracking- minidionis-cozycars-new-ride-is-related-to- seaduke/ 3. Segey Lozhkin; Securelist; Minidionis – one more APT with a usage of cloud drives; published 16 July 2015; https://securelist.com/blog/ research/71443/minidionis-one-more-apt-with- a-usage-of-cloud-drives/ CLOUDDUKE Over 7 years of Russian cyberespionage THE DUKES 25 INFECTION VECTORS The Dukes primarily use spear-phishing emails when attempting to infect victims with their malware. These spear-phishing emails range from ones purposely designed to look like spam messages used to spread common crimeware and addressed to large numbers of people, to highly targeted emails addressed to only a few recipients (or even just one person) and with content that is highly relevant for the intended recipient(s). In some cases, the Dukes appear to have used previously compromised victims to send new spear-phishing emails to other targets. The spear-phishing emails used by the Dukes may contain either specially-crafted malicious attachments or links to URLs hosting the malware. When malicious attachments are used, they may either be designed to exploit a vulnerability in a popular software assumed to be installed on the victim’s machine, such as Microsoft Word or Adobe Reader, or the attachment itself may have its icon and filename obfuscated in such a way that the file does not appear to be an executable. The only instances which we are aware of where the Dukes did not use spear-phishing as the initial infection vector is with certain OnionDuke variants. These were instead spread using either a malicious Tor node that would trojanize legitimate applications on-the-fly with the OnionDuke toolset, or via torrent files containing previously trojanized versions of legitimate applications. Finally, it is worth noting that the Dukes are known to sometimes re-infect a victim of one of their malware tools with another one of their tools. Examples include CozyDuke infecting its victims with SeaDuke, HammerDuke,or OnionDuke; and CosmicDuke infecting its victims with PinchDuke,GeminiDuke or MiniDuke. DECOYS The Dukes commonly employ decoys with their infection vectors. These decoys may be image files, document files, Adobe Flash videos or similar that are presented to the victim during the infection process in an attempt to distract them from the malicious activity. The contents of these decoys range from non-targeted material such as videos of television commercials showing monkeys at an office, to highly targeted documents with content directly relevant to the intended recipient such as reports, invitations, or lists of participants to an event. Usually, the contents of the decoys appear to be taken from public sources, either by copying publicly accessible material such as a news report or by simply repurposing a legitimate file that has been openly distributed. In some cases however, highly targeted decoys have been observed using content that does not appear to be publicly available, suggesting that these contents may have been stolen from other victims that had been infected by Duke toolsets. EXPLOITATION OF VULNERABILITIES The Dukes have employed exploits both in their infection vectors as well as in their malware. We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit. In all known cases where exploits were employed, we believe the Dukes did not themselves discover the vulnerabilities or design the original exploits; for the exploited zero-day, we believe the Dukes purchased the exploit. In all other cases, we believe the group simply repurposed publicly available exploits or proofs of concept. 26 THE DUKES Over 7 years of Russian cyberespionage ATTRIBUTION AND STATE-SPONSORSHIP The Dukes appear to prioritize the continuation of their operations over stealth. Their 2015 CozyDuke and CloudDuke campaigns take this to the extreme by apparently opting for speed and quantity over stealth and quality. In the most extreme case, the Dukes continued with their July 2015 CloudDuke campaign even after their activity had been outed by multiple security vendors. We therefore believe the Dukes’ primary mission to be so valuable to their benefactors that its continuation outweighs everything else. This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught. We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates. We therefore believe the Dukes to work either within or directly for a government, thus ruling out the possibility of a criminal gang or another third party. This leaves us with the final question: which country? We are unable to conclusively prove responsibility of any specific country for the Dukes. All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation. Further, we are currently unaware of any evidence disproving this theory. Kaspersky Labs has previously noted the presence of Russian-language artefacts in some of the Duke malware samples[9] . We have also found a Russian-language error message in many PinchDuke samples: “Ошибка названия модуля! Название секции данных должно быть 4 байта!” This roughly translates as, “There is an error in the module’s name! The length of the data section name must be 4 bytes!” Additionally, Kaspersky noted that based on the compilation timestamps, the authors of the Duke malware appear to primarily work from Monday to Friday between the times of 6am and 4pm UTC+0 [11] . This corresponds to working hours between 9am and 7pm in the UTC+3 time zone, also known as Moscow Standard Time, which covers, among others, much of western Russia, including Moscow and St. Petersburg. Attribution is always a difficult question, but attempting to answer it is important in understanding these types of threats and how to defend against them. This paper has already stated that we believe the Dukes to be a Russian state-sponsored cyberespionage operation. To reach this conclusion, we began by analyzing the apparent objectives and motivations of the group. Based on what we currently know about the targets chosen by the Dukes over the past 7 years, they appear to have consistently targeted entities that deal with foreign policy and security policy matters. These targets have included organizations such as ministries of foreign affairs, embassies, senates, parliaments, ministries of defense, defense contractors, and think tanks. In one of their more intriguing cases, the Dukes have appeared to also target entities involved in the trafficking of illegal drugs. Even such targets however appear to be consistent with the overarching theme, given the drug trade’s relevance to security policy. Based on this, we are confident in our conclusion that the Dukes’ primary mission is the collection of intelligence to support foreign and security policy decision-making. This naturally leads to the question of state-sponsorship. Based on our establishment of the group’s primary mission, we believe the main benefactor (or benefactors) of their work is a government. But are the Dukes a team or a department inside a government agency? An external contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We don’t know. Based on the length of the Dukes’ activity, our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing, we believe the group to have significant and most critically, stable financial backing. The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller, more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes. We therefore believe the Dukes to be a single, large, well-coordinated organization with clear separation of responsibilities and targets. Map of timezones in Russia; © Eric Muller[23] Pink: MSK (UTC +3) ; Orange: UTC +4 Over 7 years of Russian cyberespionage THE DUKES 27 The Kaspersky Labs analysis of the Duke malware authors’ working times is supported by our own analysis, as well as that performed by FireEye [22] . This assertion of time zone is also supported by timestamps found in many GeminiDuke samples, which similarly suggest the group work in the Moscow Standard Time timezone, as further detailed in the section on the technical analysis of GeminiDuke (page 17). Finally, the known targets of the Dukes - Eastern European foreign ministries, western think tanks and governmental organizations, even Russian-speaking drug dealers conform to publicly-known Russian foreign policy and security policy interests. Even though the Dukes appear to have targeted governments all over the world, we are unaware of them ever targeting the Russian government. While absence of evidence is not evidence of absence, it is an interesting detail to note. Based on the presented evidence and analysis, we believe, with a high level of confidence, that the Duke toolsets are the product of a single, large, well-resourced organization (which we identify as the Dukes) that provides the Russian government with intelligence on foreign and security policy matters in exchange for support and protection. 28 THE DUKES Over 7 years of Russian cyberespionage BIBLIOGRAPHY 1. The White House; Remarks By President Barack Obama In Prague As Delivered; published 5 April 2009; [Online]. Available: https://www.whitehouse.gov/the-press-office/remarks-president-barack-obama-prague-delivered 2. Wikipedia; KavKaz Center; [Online]. Available: https://en.wikipedia.org/wiki/Kavkaz_Center 3. BBC: Nato exercises ‘a dangerous move’; published 17 April 2009; [Online]. Available:http://news.bbc.co.uk/2/hi/ europe/8004399.stm 4. Tavis Ormandy; Seclists.org; Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack; published 19 January 2010; [Online]. Available: http://seclists.org/fulldisclosure/2010/Jan/341 5. Timo Hirvonen; F-Secure Labs; CosmicDuke: Cosmu with a Twist of MiniDuke; published 2 July 2014; [Online]. Available: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf 6. Yichong Lin, James T. Bennett, Thoufique Haq; FireEye Threat Research blog; In Turn, It’s PDF Time; published 12 February 2013; [Online]. Available: https://www.fireeye.com/blog/threat-research/2013/02/in-turn-its-pdf- time.html 7. Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk; Kaspersky Lab; The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor; published 27 February 2013; [Online]. Available: http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryofthepdf0- dayassemblermicrobackdoor.pdf 8. Laboratory of Cryptography and System Security (CrySyS Lab); Miniduke: Indicators; published 27 February 2013; [Online]. Available: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf 9. Mikko Hypponen; F-Secure Weblog; Targeted Attacks and Ukraine; published 1 April 2014; [Online]. Available: https://www.f-secure.com/weblog/archives/00002688.html 10. Feike Hacquebord; Trend Micro; Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets; published 18 August 2015; [Online]. Available: http://blog.trendmicro.com/trendlabs-security- intelligence/pawn-storms-domestic-spying-campaign-revealed-ukraine-and-us-top-global-targets/ 11. GReAT; Securelist; Miniduke is back: Nemesis Gemina and the Botgen Studio; published 3 July 2014; [Online]. Available: https://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen- studio/ 12. Boost C++ Libraries; Version 1.54.0; published 1 July 2013; [Online]. Available: http://www.boost.org/users/ history/version_1_54_0.html 13. Artturi Lehtio; F-Secure Weblog; OnionDuke: APT Attacks Via the Tor Network; published 14 November 2014; [Online]. Available: https://www.f-secure.com/weblog/archives/00002764.html 14. Artturi Lehtio; F-Secure Labs; CozyDuke; published 22 April 2015; [Online]. Available: https://www.f-secure.com/ documents/996508/ 1030745/CozyDuke 15. Symantec Security Response; “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory; published 13 July 2015; [Online]. Available: http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest- weapon-duke-armory 16. Brandon Levene, Robert Falcone and Richard Wartell; Palo Alto Networks; Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke; published 14 July 2015; [Online]. Available: http://researchcenter.paloaltonetworks. com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/ 17. Segey Lozhkin; Securelist; Minidionis – one more APT with a usage of cloud drives; published 16 July 2015; [Online]. Available: https://securelist.com/blog/research/71443/minidionis-one-more-apt-with-a-usage-of-cloud- drives/ 18. malware@prevenity; Malware w 5 rocznicę katastrofy samolotu; published 22 April 2015; [Online]. Available: http://malware.prevenity.com/2015/04/malware-w-5-rocznice-katastrofy-samolotu.html (in Polish) 19. malware@prevenity; Wykradanie danych z instytucji publicznych; published 11 August 2015; [Online]. Available: http://malware.prevenity.com/2015/08/wykradanie-danych-z-instytucji.html (in Polish) 20. Wikipedia; Moscow Time; [Online]. Available: https://en.wikipedia.org/wiki/Moscow_Time 21. Exploit Database; CVE: 2010-4398; published 24 November 2014; [Online]. Available: https://www.exploit-db. com/exploits/15609/ 22. FireEye; HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group; published July 2015; [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf * 23. tz_world, an efele.net/tz map; Eric Muller; tz_russia, an efele.net/tz map: A shapefile of the TZ timezones of Russia; published 2 May 2013; [Online]. Available: http://efele.net/maps/tz/russia/ Data listings APPENDIX I 29 APPENDIX I: DATA LISTINGS PinchDuke Campaign identifiers                                   alkavkaz.com20081105 cihaderi.net20081112 20090111 diploturk_20090305_faruk 20090310I mofa.go.ug_20090317 plcz_20090417 20090421_NN1 20090427_n_8 20090513_Cr natoinfo_ge 20090608_G mod_ge_2009_07_03 20090909_Bel mofa-go-ug-2009-09-09 20091008_Af nat_20092311 turtsia_20091128 mfagovtr_20091204 modge_20100126 GEN20100215 par_ge_20100225 pr_ge_20100225 tika_20100326 harpa_20100329 sanat_20100412 mfakg_20100413 leskz_20100414 leskg_20100422 az_emb_uz_20100518 sat_20100524 emb_azerb_uz_20100609 sat_2010_07_26 kaz_2010_07_30 Malware SHA1 hashes                          07b4e44b6b3e1c3904ded7d6c9dcf7fa609467ef 0cf68d706c38ab112e0b667498c24626aec730f6 155004c1cc831a7f39caf2bec04f1841b61af802 17df96e423320ddfb7664413bf562a6b1aaef9d4 1c124e1523fcbef25c4f3074b1f8088bcad2230f 285ac0fb341e57c87964282f621b3d1f018ab7ea 2f156a9f861cda356c4ddf332d71937ac9962c68 333f5acc35ea0206f7d1deadcb94ca6ec9564d02 34af1909ec77d2c3878724234b9b1e3141c91409 383fc3c218b9fb0d4224d69af66caf09869b4c73 45ee9aa9f8ef3a9cc0b4b250766e7a9368a30934 52164782fc9f8a2a6c4be2b9cd000e4a60a860ed 7371eecafbaeefd0dc5f4dd5737f745586133f59 797b3101b9352be812b8d411179ae765e14065a6 a10f2dc5dbdbf1a11ebe4c3e59a4c0e5d14bcc8a a3dfb5643c824ae0c3ba2b7f3efb266bfbf46b02 ad2cac618ab9d9d4a16a2db32410607bbf98ce8f bf48d8126e84185e7825b69951293271031cbad4 c1e229219e84203ba9e26f2917bd268656ff4716 c59114c79e3d3ddd77d6919b88bc99d40205e645 c8ae844baea44ec1db172ae9b257dbac04dcbbe7 d5905327f213a69f314e2503c68ef5b51c2d381e e7720ab728cb18ea329c7dd7c9b7408e266c986b fdc65f38f458ceddf5a5e3f4b44df7337a1fb415 fdfd9abbaafe0bee747c0f1d7963d903174359df Exploit file SHA1 hashes   50f8ea7eb685656c02a83420b3910d14ac588c8b 9fae684a130c052ad2b55ebaf7f6e513c0e62abe 30 APPENDIX I Data listings GeminiDuke Malware SHA1 hashes      3ed561786ca07c8e9862f4f682c1828a039d6dd4 6b0b8ad038c7ae2efbad066b8ba22de859b81f98 a3653091334892cf97a55715c7555c8881230bc4 b14b9241197c667f00f86d096d71c47d6fa9aca6 c011552d61ac5a87d95e43b90f2bf13077856def •• CosmicDuke Malware SHA1 hashes                                              01e5080b832c6e4fcb7b9d06caffe03dab8d95da 02f55947402689ec755356ab6b0345a592446da7 03c5690728b7dffb2f4ab947fe390264751428aa 0653a8f06b140f4fac44acb3be723d7bb2602558 0bc8485ce6c24bb888e2329d479c9b7303bb98b4 0c8db6542172de98fa16c9bacfef9ed4099fd872 0d8f41fe09dbd75ab953f9e64a6cdbbbc198bf2b 0e5f55676e01d8e41d77cdc43489da8381b68086 0ff7ce34841c03c876b141c1f46d0ff2519889cc 11b5cfb37efb45d2c721cbf20cab7c1f5c1aa44b 151362502d569b16453e84a2f5d277d8e4e878c2 174373ab44cf6e7355f9dbb8469453519cb61a44 18d983ba09da695ce704ab8093296366b543996a 1a31245e943b131d81375d70b489d8e4bf3d6dce 1ce049522c4df595a1c4c9e9ca24be72dc5c6b28 1df78a1dc0aa3382fcc6fac172b70aafd0ed8d3d 1e5c6d3f64295cb36d364f7fa183177a3f5e6b7e 2345cd5c112e55ba631dac539c8efab850c536b2 2b1e7d54723cf9ee2fd133b8f17fa99470d7a51a 322e042cf1cb43a8072c4a4cbf6e37004a88d6f7 332aac7bdb0f697fd96e35c31c54d15e548061f4 365f61c7886ca82bfdf8ee19ce0f92c4f7d0901e 3980f0e3fe80b2e7378325ab64ecbe725ae5eca9 3f4a5bf72a15b7a8638655b24eb3359e229b9aea 42dbfbedd813e6dbea1398323f085a88fa014293 4a9875f646c5410f8317191ef2a91f934ce76f57 4aaac99607013b21863728b9453e4ffee67b902e 4e3c9d7eb8302739e6931a3b5b605efe8f211e51 4fbc518df60df395ea27224cb85c4da2ff327e98 4fd46c30fb1b6f5431c12a38430d684ed1ff5a75 524aaf596dc12b1bb479cd69c620914fd4c3f9c9 541816260c71535cfebc743b9e2770a3a601acdf 558f1d400be521f8286b6a51f56d362d64278132 55f83ff166ab8978d6ce38e80fde858cf29e660b 580eca9e36dcd1a2deb9075bcae90afee46aace2 5a199a75411047903b7ba7851bf705ec545f6da9 5c5ec0b5112a74a95edc23ef093792eb3698320e 63aedcd38fe947404dda4fbaddb1da539d632417 6483ed51bd244c7b2cf97db62602b19c27fa3059 658db78c0ce62e08e86b51988a222b5fb5fbb913 6a43ada6a3741892b56b0ef38cdf48df1ace236d 6b7a4ccd5a411c03e3f1e86f86b273965991eb85 6db1151eeb4339fc72d6d094e2d6c2572de89470 7631f1db92e61504596790057ce674ee90570755 764add69922342b8c4200d64652fbee1376adf1c                                      7803f160af428bcfb4b9ea2aba07886f232cde4e 78d1c1e11ebae22849bccb3eb154ec986d992364 7ad1bef0ba61dbed98d76d4207676d08c893fc13 807c3db7385972a78b6d217a379dab67e68a3cf5 88b7ead7c0bf8b3d8a54b4a9c8871f44d1577ce7 8a2227cafa5713297313844344d6b6d9e0885093 8aa9f5d426428ec360229f4cb9f722388f0e535c 8ab7f806fa18dd9a9c2dc43db0ad3ee79060b6e8 8f4138e9588ef329b5cf5bc945dee4ad9fec1dff 9090de286ce9126e8e9c1c3a175a70ab4656ca09 91fd13a6b44e99f7235697ab5fe520d540279741 926046f0c727358d1a6fbdd6ff3e28bc67d5e2f6 9700c8a41a929449cfba6567a648e9c5e4a14e70 97c62e04b0ce401bd338224cdd58f5943f47c8de a2ed0eaaeadaa90d25f8b1da23033593bb76598e a421e0758f1007527fec4d72fa2668da340554c9 a74eceea45207a6b46f461d436b73314b2065756 a7819c06746ae8d1e5d5111b1ca711db0c8d923e a81b58b2171c6a728039dc493faaf2cab7d146a5 b2a951c5b2613abdb9174678f43a579592b0abc9 b54b3c67f1827dab4cc2b3de94ff0af4e5db3d4c b579845c223331fea9dfd674517fa4633082970e bbe24aa5e554002f8fd092fc5af7747931307a15 c2b5aff3435a7241637f288fedef722541c4dad8 c637a9c3fb08879e0f54230bd8dca81deb6e1bcf cbca642acdb9f6df1b3efef0af8e675e32bd71d1 ccb29875222527af4e58b9dd8994c3c7ef617fd8 cd7116fc6a5fa170690590e161c7589d502bd6a7 d303a6ddd63ce993a8432f4daab5132732748843 e60d36efd6b307bef4f18e31e7932a711106cd44 e841ca216ce4ee9e967ffff9b059d31ccbf126bd ecd2feb0afd5614d7575598c63d9b0146a67ecaa ed14da9b9075bd3281967033c90886fd7d4f14e5 ed328e83cda3cdf75ff68372d69bcbacfe2c9c5e f621ec1b363e13dd60474fcfab374b8570ede4de fbf290f6adad79ae9628ec6d5703e5ffb86cf8f1 fecdba1d903a51499a3953b4df1d850fbd5438bd Exploit file SHA1 hashes          1e770f2a17664e7d7687c53860b1c0dc0da7157e 353540c6619f2bba2351babad736599811d3392e 412d488e88deef81225d15959f48479fc8d387b3 5295b09592d5a651ca3f748f0e6401bd48fe7bda 65681390d203871e9c21c68075dbf38944e782e8 74bc93107b1bbae2d98fca6d819c2f0bbe8c9f8a 8949c1d82dda5c2ead0a73b532c4b2e1fbb58a0e c671786abd87d214a28d136b6bafd4e33ee66951 f1f1ace3906080cef52ca4948185b665d1d7b13e Data listings APPENDIX I 31 MiniDuke Malware SHA1 hashes                                                         00852745cb40730dc333124549a768b471dff4bc 03661a5e2352a797233c23883b25bb652f03f205 045867051a6052d1d910abfcb24a7674bcc046ca 0d78d1690d2db2ee322ca11b82d79c758a901ebc 0e263d80c46d5a538115f71e077a6175168abc5c 103c37f6276059a5ff47117b7f638013ccffe407 118114446847ead7a2fe87ecb4943fdbdd2bbd1e 15c75472f160f082f6905d57a98de94c026e2c56 1ba5bcd62abcbff517a4adb2609f721dd7f609df 1e6b9414fce4277207aab2aa12e4f0842a23f9c1 223c7eb7b9dde08ee028bba6552409ee144db54a 28a43eac3be1b96c68a1e7463ae91367434a2ac4 296fd4c5b4bf8ea288f45b4801512d7dec7c497b 2a13ae3806de8e2c7adba6465c4b2a7bb347f0f5 2ceae0f5f3efe366ebded0a413e5ea264fbf2a33 2d74a4efaecd0d23afcad02118e00c08e17996ed 30b377e7dc2418607d8cf5d01ae1f925eab2f037 31ab6830f4e39c2c520ae55d4c4bffe0b347c947 36b969c1b3c46953077e4aabb75be8cc6aa6a327 416d1035168b99cc8ba7227d4c7c3c6bc1ce169a 43fa0d5a30b4cd72bb7e156c00c1611bb4f4bd0a 493d0660c9cf738be08209bfd56351d4cf075877 4b4841ca3f05879ca0dab0659b07fc93a780f9f1 4ec769c15a9e318d41fd4a1997ec13c029976fc2 53140342b8fe2dd7661fce0d0e88d909f55099db 5acaea49540635670036dc626503431b5a783b56 5b2c4da743798bde4158848a8a44094703e842cb 634a1649995309b9c7d163af627f7e39f42d5968 683104d28bd5c52c53d2e6c710a7bd19676c28b8 694fa03160d50865dce0c35227dc97ffa1acfa48 73366c1eb26b92886531586728be4975d56f7ca5 827de388e0feabd92fe7bd433138aa35142bd01a 909d369c42125e84e0650f7e1183abe740486f58 9796d22994ff4b4e838079d2e5613e7ac425dd1d a32817e9ff07bc69974221d9b7a9b980fa80b677 a4e39298866b72e5399d5177f717c46861d8d3df a6c18fcbe6b25c370e1305d523b5de662172875b a9e529c7b04a99019dd31c3c0d7f576e1bbd0970 ad9734b05973a0a0f1d34a32cd1936e66898c034 b27f6174173e71dc154413a525baddf3d6dea1fd b8b116d11909a05428b7cb6dcce06113f4cc9e58 c17ad20e3790ba674e3fe6f01b9c10270bf0f0e4 c39d0b12bb1c25cf46a5ae6b197a59f8ea90caa0 c6d3dac500de2f46e56611c13c589e037e4ca5e0 cb3a83fc24c7b6b0b9d438fbf053276cceaacd2e cc3df7de75db8be4a0a30ede21f226122d2dfe87 cd50170a70b9cc767aa4b21a150c136cb25fbd44 cdcfac3e9d60aae54586b30fa5b99f180839deed d22d80da6f042c4da3392a69c713ee4d64be8bc8 d81b0705d26390eb82188c03644786dd6f1a2a9e de8e9def2553f4d211cc0b34a3972d9814f156aa e4add0b118113b2627143c7ef1d5b1327de395f1 e95e2c166be39a4d9cd671531b376b1a8ceb4a55 edf74413a6e2763147184b5e1b8732537a854365 efcb9be7bf162980187237bcb50f4da2d55430c2 f62600984c5086f2da3d70bc1f5042cf464f928d CozyDuke Malware SHA1 hashes                                          01d3973e1bb46e2b75034736991c567862a11263 04aefbf1527536159d72d20dea907cbd080793e3 0e020c03fffabc6d20eca67f559c46b4939bb4f4 1e5f6a5624a9e5472d547b8aa54c6d146813f91d 207be5648c0a2e48be98dc4dc1d5d16944189219 23e20c523b9970686d913360d438c88e6067c157 25b6c73124f11f70474f2687ad1de407343ac025 32b0c8c46f8baaba0159967c5602f58dd73ebde9 446daabb7ac2b9f11dc1267fbd192628cc2bac19 482d1624f9450ca1c99926ceec2606260e7ce544 49fb759d133eeaab3fcc78cec64418e44ed649ab 5150174a4d5e5bb0bccc568e82dbb86406487510 543783df44459a3878ad00ecae47ff077f5efd7b 6b0721a9ced806076f84e828d9c65504a77d106c 6e00b86a2480abc6dbd971c0bf6495d81ed1b629 78e9960cc5819583fb98fb619b33bff7768ee861 7e9eb570ef07b793828c28ca3f84177e1ab76e14 8099a40b9ef478ee50c466eb65fe71b247fcf014 87668d14910c1e1bb8bbea0c6363f76e664dcd09 8b357ff017df3ed882b278d0dbbdf129235d123d 8c3ed0bbdc77aec299c77f666c21659840f5ce23 93d53be2c3e7961bc01e0bfa5065a2390305268c 93ee1c714fad9cc1bf2cba19f3de9d1e83c665e2 9b56155b82f14000f0ec027f29ff20e6ae5205c2 b65aa8590a1bac52a85dbd1ea091fc586f6ab00a bdd2bae83c3bab9ba0c199492fe57e70c6425dd3 bf265227f9a8e22ea1c0035ac4d2449ceed43e2b bf9d3a45273608caf90084c1157de2074322a230 c3d8a548fa0525e1e55aa592e14303fc6964d28d c6472898e9085e563cd56baeb6b6e21928c5486d ccf83cd713e0f078697f9e842a06d624f8b9757e dea73f04e52917dc71cc4e9d7592b6317e09a054 e0779ac6e5cc76e91fca71efeade2a5d7f099c80 e76da232ec020d133530fdd52ffcc38b7c1d7662 e78870f3807a89684085d605dcd57a06e7327125 e99a03ebe3462d2399f1b819f48384f6714dcba1 ea0cfe60a7b7168c42c0e86e15feb5b0c9674029 eb851adfada7b40fc4f6c0ae348694500f878493 f2ffc4e1d5faec0b7c03a233524bb78e44f0e50b f33c980d4b6aaab1dc401226ab452ce840ad4f40 f7d47c38eca7ec68aa478c06b1ba983d9bf02e15 32 APPENDIX I Data listings OnionDuke Malware SHA1 hashes                             073faad9c18dbe0e0285b2747eae0c629e56830c 145c5081037fad98fa72aa4d6dc6c193fdb1c127 16b632b4076a458b6e2087d64a42764d86b5b021 1e200fbb02dc4a51ea3ede0b6d1ff9004f07fe73 22bae6be13561cec758d25fa7adac89e67a1f33a 25e0af331b8e9fed64dc0df71a2687be348100e8 3bf6b0d49b8e594f8b59eec98942e1380e16dd22 42429d0c0cade08cfe4f72dcd77892b883e8a4bc 5ccff14ce7c1732fadfe74af95a912093007357f 61283ef203f4286f1d366a57e077b0a581be1659 6b3b42f584b6dc1e0a7b0e0c389f1fbe040968aa 6b631396013ddfd8c946772d3cd4919495298d40 7b3652f8d51bf74174e1e5364dbbf901a2ebcba1 7d17917cb8bc00b022a86bb7bab59e28c3453126 7d871a2d467474178893cd017e4e3e04e589c9a0 7efd300efed0a42c7d1f568e309c45b2b641f5c2 91cb047f28a15b558a9a4dff26df642b9001f8d7 9a277a63e41d32d9af3eddea1710056be0d42347 a75995f94854dea8799650a2f4a97980b71199d2 b3873d2c969d224b0fd17b5f886ea253ac1bfb5b b491c14d8cfb48636f6095b7b16555e9a575d57f c1ec762878a0eed8ebf47e122e87c79a5e3f7b44 cce5b3a2965c500de8fa75e1429b8be5aa744e14 d433f281cf56015941a1c2cb87066ca62ea1db37 e09f283ade693ff89864f6ec9c2354091fbd186e e519198de4cc8bcb0644aa1ab6552b1d15c99a0e f2b4b1605360d7f4e0c47932e555b36707f287be f3dcbc016393497f681e12628ad9411c27e57d48 SeaDuke Malware SHA1 hashes    3459d9c27c31c0e8b2ea5b21fdc200e784c7edf4 aa7cf4f1269fa7bca784a18e5cecab962b901cc2 bb71254fbd41855e8e70f05231ce77fee6f00388 •• HammerDuke Malware SHA1 hashes  42e6da9a08802b5ce5d1f754d4567665637b47bc CloudDuke Malware SHA1 hashes                        04299c0b549d4a46154e0a754dda2bc9e43dff76 10b31a17449705be20890ddd8ad97a2feb093674 2e27c59f0cf0dbf81466cc63d87d421b33843e87 2f53bfcd2016d506674d0a05852318f9e8188ee1 317bde14307d8777d613280546f47dd0ce54f95b 44403a3e51e337c1372b0becdab74313125452c7 47f26990d063c947debbde0e10bd267fb0f32719 4800d67ea326e6d037198abd3d95f4ed59449313 52d44e936388b77a0afdb21b099cf83ed6cbaa6f 6a3c2ad9919ad09ef6cdffc80940286814a0aa2c 7b8851f98f765038f275489c69a485e1bed4f82d 84ba6b6a0a3999c0932f35298948f149ee05bc02 910dfe45905b63c12c6f93193f5dc08f5b012bc3 9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f bfe26837da22f21451f0416aa9d241f98ff1c0f8 c16529dbc2987be3ac628b9b413106e5749999ed cc15924d37e36060faa405e5fa8f6ca15a3cace2 d7f7aef824265136ad077ae4f874d265ae45a6b0 dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8 ed0cf362c0a9de96ce49c841aa55997b4777b326 f54f4e46f5f933a96650ca5123a4c41e115a9f61 f97c5e8d018207b1d546501fe2036adfbf774cfd fe33b9f95db53c0096ae9fb9672f9c7c32d22acf •• •• Data listings APPENDIX I 33 Related IP addresses                                128.199.138.233 151.236.23.31 173.236.70.212 176.74.216.14 178.21.172.157 178.63.149.142 184.154.184.83 188.116.32.164 188.241.115.41 188.40.13.99 195.43.94.104 199.231.188.109 212.76.128.149 46.246.120.178 46.246.120.178 5.45.66.134 50.7.192.146 64.18.143.66 66.29.115.55 69.59.28.57 82.146.47.163 82.146.51.22 83.149.74.73 85.17.143.149 87.118.106.55 87.255.77.36 88.150.208.207 91.221.66.242 91.224.141.235 94.242.199.88 96.9.182.37 Related domain names                   airtravelabroad.com beijingnewsblog.net deervalleyassociation.com greencastleadvantage.com grouptumbler.com juliet.usexy.cc leveldelta.com nasdaqblog.net natureinhome.com nestedmail.com nostressjob.com nytunion.com oilnewsblog.com overpict.com serials.hacked.jp sixsquare.net store.extremesportsevents.net ustradecomp.com Note: the listed IP addresses and domain names are provided for research purposes. While all of them have been associated with the Dukes at some point in time, they may or may not be currently in use by the Dukes. F-Secure detection names                    Backdoor:W32/MiniDuke.A Trojan-Dropper:W32/MiniDuke.B Exploit:W32/MiniDuke.C Trojan-Dropper:W32/MiniDuke.D Backdoor:W32/MiniDuke.E Backdoor:W32/MiniDuke.F Backdoor:W32/MiniDuke.F Backdoor:W32/MiniDuke.H Backdoor:W32/MiniDuke.I Backdoor:W32/MiniDuke.J Trojan-Dropper:W32/CosmicDuke.A Trojan-PSW:W32/CosmicDuke.B Trojan:W32/CosmicDuke.C Exploit:W32/CosmicDuke.D Exploit:SWF/CosmicDuke.E Trojan-PSW:W32/CosmicDuke.F Trojan-Dropper:W32/CosmicDuke.G Trojan:W32/CosmicDuke.H Trojan:W32/CosmicDuke.I                  Backdoor:W32/OnionDuke.A Trojan-Dropper:W32/OnionDuke.A Backdoor:W32/OnionDuke.B Trojan:W32/OnionDuke.C Trojan:W32/OnionDuke.D Trojan-PSW:W32/OnionDuke.E Trojan:W32/OnionDuke.F Trojan:W32/OnionDuke.G Trojan:W32/CozyDuke.A Trojan:W32/CozyDuke.B Trojan-Dropper:W32/CozyDuke.C Trojan:W32/CozyDuke.D Trojan:W64/CozyDuke.E Trojan-Downloader:W32/CloudDuke.A Trojan:W32/CloudDuke.B Trojan:W64/CloudDuke.B Backdoor:W32/SeaDuke.A Note: F-Secure also detects various Duke malware components with other detections not specific to the Dukes.