State-sponsored cyberattacks linked to Russian intelligence gathering

F-Secure Labs linked a number of state-sponsored cyberattacks to a hacking group engaged in Russian intelligence gathering.

Specific targets of the attacks include the former Georgian Information Center on NATO (now called the Information Center on NATO and EU), the Ministry of Defense of Georgia, the ministries of foreign affairs in both Turkey and Uganda, and other government institutions and political think tanks in the United States, Europe, and Central Asia.

Artturi Lehtiö, the F-Secure Researcher heading the investigation, said the new analysis strengthens claims that the group is backed by Russia, and is working to support Russian intelligence gathering.

“The research details the connections between the malware and tactics used in these attacks to what we understand to be Russian resources and interests. These connections provide evidence that helps establish where the attacks originated from, what they were after, how they were executed, and what the objectives were. And all the signs point back to Russian state-sponsorship.”

The Dukes use nine different variants of malware toolsets, and while many of those toolsets were previously known to researchers, it was Lehtiö’s discovery of two new variants that allowed him to make new connections between the group and the attacks.

According to Patrik Maldre, a Junior Research Fellow with the International Center for Defense and Security, these connections provide vital information that researchers can use to put together a bigger picture about how Russia uses cyberattacks to support their intelligence gathering and political objectives.

“The connections identified in the report have significant international security implications, particularly for states in Eastern Europe and the Caucasus,” said Maldre. “They shed new light on how heavily Russia has invested in offensive cyber capabilities, and demonstrate that those capabilities have become an important component in advancing its strategic interests. By linking together seven years of individual attacks against Georgia, Europe, and the United States, the report confirms the need for current and prospective NATO members to strengthen collective security by increasing cyber cooperation in order to avoid becoming victims of Russian information warfare, espionage, and subterfuge.”

Mika Aaltola, Program Director for the Global Security research program at the Finnish Institute of International Affairs, said the report has special significance for countries in Northern Europe.

“Smaller countries, such as Sweden and Finland, are particularly vulnerable to this kind of espionage. Nordic and Baltic countries are always trying to balance Russian and Western interests, and Russia uses their cyberattack capabilities to find ways to tip the balance in their favor. Attributing cyberattacks is notoriously challenging, which lets Russia deny their activities in this space, and exert their influence in much softer, much less visible ways.”

The complete report is available here.