F-Secure study links CozyDuke to high-profile espionage
F-Secure Labs’ latest white paper highlights CozyDuke as part of an ongoing series of Advanced Persistent Threats targeting governments and other large organisations.
ontinuing menace facing governments and other large organisations. CozyDuke is an Advanced Persistent Threat (APT) toolkit that uses combinations of tactics and malware to compromise and steal information from its targets, and the new analysis links it to other APTs responsible for a number of high profile attacks.
According to the analysis, CozyDuke shares command and control resources with the prominent MiniDuke and OnionDuke APTs. F-Secure Labs has attributed several high-profile attacks to these APT platforms, including malicious attacks against people using a Russian Tor exit node and targeted attacks against NATO and a number of European government agencies*. CozyDuke utilises much of the same infrastructure as these other platforms and employs components with encryption algorithms similar to those used by OnionDuke, linking the same technology to different campaigns.
“All of these threats are related to one another and share resources, but they’re built a little bit differently to make them more effective against particular targets,” says F-Secure security advisor Sean Sullivan. “The interesting thing about CozyDuke is that it’s being used against a more diverse range of targets. Many of its targets are still western governments and institutions, but we’re also seeing it being used against targets based in Asia, which is a notable observation to make.”
CozyDuke and its associates are believed to originate from Russia**. The attackers establish a beachhead in an organisation by tricking employees into doing something such as opening an attachment in an email that distracts users with a decoy file (like a PDF or a video), allowing CozyDuke to infect their system without being noticed. Attackers can then perform a variety of tasks by using different payloads compatible with CozyDuke, and this can let them gather passwords and other sensitive information, remotely execute commands or intercept confidential communications.
Sullivan acknowledges there is not yet sufficient evidence to definitively conclude what the attackers’ true identities and motives are, but he is quite confident that they are the same people responsible for attacks attributed to OnionDuke and MiniDuke. “CozyDuke has actually been around since 2011, but it’s something that’s been developing, so it keeps on changing. This tells us that a group or groups have been investing time and money to nurture these tools, so figuring out what they’re after now is really what we need to be focusing on.”
The white paper also notes that CozyDuke checks for cyber security software before establishing its infection and certain types of software can cause it to abandon the attack. The whitepaper, penned by F-Secure Threat Intelligence Analyst Artturi Lehtiö, is free and available for download from F-Secure’s website.
*Source: https://www.f-secure.com/weblog/archives/00002764.html
**Source: https://www.f-secure.com/weblog/archives/00002780.html
More information:
F-Secure – Switch on freedom
F-Secure is an online security and privacy company from Finland. We offer millions of people around the globe the power to surf invisibly and share stuff, safe from online threats. We are here to fight for digital freedom. Join the movement and switch on freedom.
Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.
f-secure.com | twitter.com/fsecureukteam | facebook.com/f-secure
