Article Lead Image

Behind the curtain with Russia’s cyber-espionage masters

They're called the Dukes, and they seem to be unstoppable.


Patrick Howell O'Neill


Posted on Sep 17, 2015   Updated on May 27, 2021, 11:17 pm CDT

When top United States officials talk about their greatest adversaries in cyberwar, two countries are always mentioned: China and Russia.

While the American cyber conflict with China set to reach the highest levels this month, when the two countries leaders’ meet face to face, new research peeks behind the veil of Russia’s most potent hackers, who are accused of using sophisticated tactics to forcefully hit everywhere from Ukraine to the White House over much of the last decade.

Who are the Dukes?

A group known as “the Dukes” has been operating for the last seven years as a notorious advanced persistent threat (APT), the acronym used by computer security experts that describes the most potent hacking groups.

“We are talking about a highly capable, well-resourced, organized group of humans persistently engaging in cyber-espionage.”

“With the Dukes, we aren’t just talking about technical threat—pieces of malware—anymore,” F-Secure researcher Artturi Lehtiö told the Daily Dot in an interview. F-Secure is a Finnish computer security firm. 

“We are talking about a highly capable, well-resourced, organized group of humans persistently engaging in cyber-espionage,” Lehtiö said. “Therefore, the Dukes should rather be viewed as an extension of the espionage that nation states have always engaged in via any available means. In the case of the Dukes, that means to an end is cyber.”

In some ways, the Dukes lack the raw technical power of other Russian hackers. But tactically-speaking, they’ve attracted serious praise from expert observers.

“The tools used by the Dukes are not technically as sophisticated as some of the most advanced Russian APTs we are aware of, but what does set the Dukes apart is the sophistication of their tactics,” Lehtiö said. “They appear to be extremely well aware of how their target organizations operate, how these organizations defend and respond against cyber-espionage, and, crucially, where are the cracks in their defenses that the Dukes can slip through to penetrate those organizations.”

The group targets governments from the West, Africa, Middle East, and Asia, according to new F-Security research that uncovered two previously unknown malware campaigns by the Dukes.

Assigning blame for cyberattacks is notoriously difficult, but certain APTs can be identified because their work shares certain commonalities, even across years of diverse operations. 

The reason so many security researchers and even U.S. government officials are confident attributing the Dukes’ attack to Russia are numerous. 

The victims—which include foreign embassies, law makers, defense contractors, Russian-language drug cartel criminals, and more—suggest a sophisticated state sponsor whose geopolitical interests coincide with the Russian government, F-Security found.

Beyond the victims, the malware itself suggests Russian origin. The code powering all the Duke malware shares wide similarity, including Russian-language portions, and delivery methods include an infected torrent for a tool to draw fake Russian passports.

The fact that the Dukes have been operating for seven years on well-coordinated campaigns with no overlap suggests strong financial backing and centralized control, according to F-Security.

“All the available evidence” points to Russia, the researchers assert, including Russian-language artifacts in the code, file creation timestamps suggesting Moscow and St. Petersburg as the points of origin.

The Dukes have an extensive history of action detailed by F-Secure. 

In 2008, they are believed to have authored two sets of malware that targeted activists around the war in Chechnya. 

By 2009, the group was setting its crosshairs on a variety of governments, including that of Georgia, which had just gone to war with Russia the previous year. The Dukes also targeted the West in campaigns related to the U.S. and NATO using malicious Microsoft Word documents and PDF files sent as email attachments.

Email spear phishing is one of the Dukes’ favorite tactics. The hackers will send sharply tailored emails to specific individuals targeted because they have access to, for instance, U.S. foreign policy think tanks or key embassies.

How to defend yourself from the Dukes

Lehtiö explained in detail how readers can defend themselves against a threat like the Dukes’ spear phishing emails. 

“The key to identifying such emails is twofold,” he said, adding:

If the sender appears to be someone you know, make sure that it was actually sent by them. Is it actually from their email address or has someone registered a similar looking email address in an attempt to deceive you?

Or even if it appears to be from the correct email address, the sender could have been faked. If you are at all unsure, why not send a quick text message or give a quick call to the person who supposedly sent the email and check that they actually sent it.

On the other hand, if the sender is not someone you are familiar with, then is it an email that you should plausibly be receiving? Receiving an email purporting to be a notification about the arrival of an efax, for instance, should be suspicious if you’ve never asked anyone to send you an efax or especially if you’ve never even heard of an efax.

Often these spear phishing emails will contain the malware as an attachment. This attachment might be an actual malicious executable pretending to be something else or it might be a malicious document file like a Microsoft Word document or a PDF.

In the case of attached executables, security settings on a computer can be used to disable the execution of executables that arrived as email attachments. As for malicious document files, in the case of the Dukes, these exploit already publicly known vulnerabilities. Therefore keeping your software up-to-date and patched is key.

Over time, the group’s malware grew more advanced and diverse. The arsenal expanded in the shadows until 2013, when security researchers at FireEye, an American network security firm, sniffed out a previously undiscovered (0-day) hack that targeted Adobe Flash. 

The Russian Kaspersky Lab found more related malware just a week later, dubbing the previously unknown hackers with the Duke moniker because it was reminiscent, though operationally unrelated, of another highly advanced set of malware: Duqu

“They certainly don’t seem to be fazed by the publicity they’ve garnered.” 

Rather than stop after being discovered, the newly famous Dukes kept operations up in the face of an intensifying spotlight.

The Dukes don’t just engage in cyberespionage between nations. From 2013 to 2014, research shows the group’s malware targeted domestic drug dealers

Also in 2013, the group was spotted using the Tor anonymity network, software developed and financed by the U.S. government, in order to control malware that stole passwords, gathered information, launched denial of service attacks, and posted spam. This activity was discovered in 2014.

“They certainly don’t seem to be fazed by the publicity they’ve garnered,” Lehtiö told the Daily Dot. “In fact, they only appear to be getting bolder and more brazen in their activities. I think the fact that they’ve been operating non-stop for at least seven years is testament to the value the Dukes are generating for their benefactors.”

Illustration by Max Fleishman

Share this article
*First Published: Sep 17, 2015, 1:39 pm CDT