What is the large cyber spy organization "The Dukes" with the shadow of the Russian government shining?

Security company F - Secure, large - scaleAPT attackAnd cyberspy activities that "The Dukes (APT 29)We announced a report on the group called. According to the report, there is a Russian government behind The Dukes.

The Dukes: 7 Years Of Russian Cyber-Espionage | News from the Lab
https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/

The Dukes 7 years of Russian cyberespionage
(PDF file)https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Seven years of malware linked to Russian state-backed cyber espionage | Ars Technica
http://arstechnica.com/security/2015/09/seven-years-of-malware-linked-to-russian-state-backed-cyberespionage/

The Dukes (APT 29) uses a remote access tool called "HAMMERTOSS" and a back door to allow users to read images containing malware via Twitter or other web services such as GitHub to steal data or to the Department of Defense It is a hacker group of Russia known for spear fishing.

So far, The Dukes uses numerous malware such as HAMMERTOSS (HammerDuke), MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (MiniDionis), and many security companies including F- I have been doing research. Fully understood the whole thing, but F - Secure has found clues leading to The Dukes from known malware by analyzing two tools "PinchDuke" and "GeminiDuke".

A list of tools that has been used by The Dukes so far and its confirmation time are as follows. The leftmost two PinchDuke and GeminiDuke are confirmed for the first time around 2009, they are old tools that have not been found evidence used in mid 2010 and after the end of 2012, respectively.


The tool name contains a common character string "Duke (Duke / Duke)", but this naming rule is that Kaspersky researchers who discovered "MiniDuke" found that the structure of the backdoor was found before that It was derived from the fact that it was similar to Malware "ItaDuke" so that we can understand the relationship. "Duke" as a name is derived from malware "Duqu (Duke)" which is raging and not named by a hacker group. Likewise, the name "The Dukes" is also called a group of tools named "Duke" in the sense that it is called a group, the group is not self-stated, it is officially called "APT 29" It is.


The feature of The Dukes lies in its ability to continue to acquire information without noticing the target, mainlyWestern countriesOf the central government ministries / political think tanks / government subcontractors etc. In addition to the Western countries, the countries of the Independent State Community, the Asian-African-Middle Eastern countries, and the extremists of Chechnya are also covered.

In recent years, it is known that semi-annual hiring of hundreds of government agencies and related institutions, a total of thousands of people spear phishing. When a hacker group finds a "target" that is worthwhile among people at risk, switching among the tool sets to be used will make the information gather more relaxed and long-term. The strategy has been known to continue for at least seven years and it shows that it is consistent with Russia's and foreign security policy.

Of course, The Duke side also knows that research on themselves is underway, but the strategy seems to be highly appreciated by the group's supporters, stopping the tool once, interrupting the strategy , It seems that it has not been done to fix it more highly confidential. However, it is said that corrections are being made while starting the tool.

Although F-Secure believes that "the Russian government is involved," whether The Dukes is a government internal team, an external team, or whether the criminal group is moving with a high payment, a patriot He says he does not know whether the group is doing it.