Why the West is Easily Duked: The Strategic Anatomy of the Duke-type Russian Cyber-Attacks

Thursday, 17. September 2015
Mika Aaltola
Programme Director - the Global Security research programme

It is becoming increasingly clear that Dukes are linked to a Russian actor within the government or close to the government.

A spate of recent cyber-attacks, hitherto not much discussed in the public, have targeted different Western security organizations. These persistent attacks have used a group of information-stealers, Dukes: MiniDuke was used to attack European government organizations and NATO, CosmicDuke was active during 2014, and recently CozyDuke targeted the White House and US Department of State. Dukes typically infect person’s computer through an email containing a link or a decoy attachment; opening them establishes a backdoor access to the victim’s system. Although the Dukes are different, they share some features (e.g. the loader) and have a family resemblance that is also indicated in the naming scheme.[i] The shared features of these attacks have led to speculation concerning the perpetrator(s) behind them. However, the attribution of a cyber-attack can easily be misdirected. One can hide the true identity of the perpetrators – e.g. by using third-parties as attack-vectors, by using common identifying markers, or by leaving misleading ‘hints’ within the code.

Despite the inherent obscurity, repeated attacks leave better markers of identification: first, the signature of intended targets gets clearer; then, cyber-attacks are based on human activity and errors are becoming increasingly detectable; and finally the forensic tools have gotten better in ways that could not be foreseen a few years ago. The just released F-Secure Lab's analysis is so far the best evidenced and most detailed investigation into the long history of Duke-malware attacks.[ii] Past research indicates that CozyDuke has been developed at least since 2011[iii] but the current analysis details evidence from 2008 onwards. The veil of strategic ambiguity surrounding the Dukes is being lifted. The list of original targets reinforces the geopolitical intention of the attacks. Similarities within the code, as well as identifying markers left by human error, point to the true agency behind the Duking.

It is becoming increasingly clear that Dukes are linked to a Russian actor within the government or close to the government.[iv] The targets are mostly Western governmental and intergovernmental organizations; the list of targets also includes, e.g., foreign and defense ministries, activist sites, and a few major Western think-tanks. On the whole, the list concentrates on entities whose interests oppose, are lukewarm, or bring negative attention to the Russian geostrategic aims.[v]This pattern of targets over many years can be used to narrow the range of possible perpetrators who are likely to have the persistent intent and necessary capabilities to execute such attacks. The perpetrator(s) of the known attacks seem to share the same infrastructure as well as share and develop the code.

This analysis will examine why it would make sense for Russia to use Duking as a part of its geostrategic toolbox. However, it also leads to important questions concerning the nature of such attacks and about the existing effectiveness of the Western cyber-deterrence. Although the Duking has been relatively simple and the attacks frequent - why has there not been any slap on the hands of the attackers?


Fuller Spectrum of Conflict

Many in the Russian leadership firmly believe that the state is in conflict with the West. Russian actions in Ukraine challenge the security architecture and status quo prevailing since the end of the Cold War. How do the Dukes fit with the emerging pattern of Russia's geopolitical challenges?

One possible strategic scenario is the apparent Russian adaptation of more hybrid conflict practices. These practices are based on the use of increasingly broad spectrum of tools. The cyber-modality seems to offer an attractive addition to this toolbox.

The key to the much analyzed hybrid-practices is the notion that any weakness has to be utilized for one’s own strategic advantage. Showcasing Western weaknesses is useful not only for direct military benefit but for the purposes of demonstrating and catalyzing Western vulnerability and insecurity. Duking can work together with the other tools used for similar purposes. These hybrid tools range from intelligence gathering and disinformation campaigning to different types of destabilization operations. Such synchronized use of tools indicates that Russia has quite effectively broken down the stove-pipes separating its different harder and softer means of power-exertion.

Moreover, the hybrid and combinatorial practices challenge the separation between peace and wartime context. It seems that in its practices Russia uses peace-time context for different types of special operations against actors it sees as hostile or lukewarm to its strategic goals.

One clear goal relevant to the Duking and other cyber-operations is the creation of strategic ambiguity. Managing to carry out repeated successful attacks with the help of an obscuring veil creates a sense of power and invulnerability in itself. By using persistent advanced threats, Russian demonstrates its status as equal among the major powers that have been known to use complex cyber-tools for geopolitical purposes.

Well-targeted cyber-attacks can be utilized to demonstrate perpetrator’s actual capabilities and reach. "Duking" can also be seen in the context of Russia's increased willingness to take calculated risks. The Dukes by themselves do not rise above the threshold of direct harm to the Western critical infrastructures. So far, they have been unlikely to attract decisive retaliatory actions. Risks are clearly taken, but in a calculated way that maximizes psychological effect. The seven years of Duking activity demonstrate below the water-line campaigning capabilities. Furthermore, cyber-operations combine with the well-documented disinformation operations in the West and in the Nordic-Baltic region. This adds to the psychological effect – the whole is greater than the sum of its parts.

The revelation of the operations does not necessarily lead to the negation of the intended effect of the Duking, the revealed attacks accentuate and show-off perpetrators’ capabilities. It can even be useful for the attacker that the image of a powerful modern actor as well as the low deterrence of the Western entities is highlighted in media. Russia can convey an image of a powerful modern actor that has more capabilities than it actually has. When the operations become public, the perpetrators can always point to the attribution issues and deny their role in the operations to delegitimize any retaliation. It is difficult to know what was stolen and what the precise goals of the attacks were. This guessing further heightens ambiguity, confusion, and obscurity. Thus, perhaps paradoxically, the attacks’ success that relies on their covert nature is not denied when they become public.

Carefully calculated cyber-attacks are useful in regions where Russia has no clear hard power tools.

The digital sphere eradicates physical distance; cyber-means can be used against states far away from the Russian borders. The targets of the Duke-attacks include states and organizations in Europe and in the US. Furthermore, even the smaller states in the Nordic-Baltic region can also be useful targets as other means cannot be directly used. The campaigning is aimed to create geopolitical hesitation in the smaller states whose possible reorientation might cause a headache for Russia’s overall geopolitical aims. For bigger states and governmental organizations it shows the ineffective state of their cyber defense and deterrence. It heightens alarm and creates further pressures to acknowledge Russian political insinuations or face the costs of continued attacks and of revamping and reorganizing the existing cyber-defenses.


Attribution and Cyber-deterrence

One important disruptive characteristic of cyber hacking stems from the difficulty of attributing them to the perpetrators. By carefully maintaining the fogginess, further attacks can be maintained. This situation leads into problems with establishing effective cyber-deterrence. Deterrence can be based on passive stabilizers that stop attacks from being possible by e.g. resilient, shock-absorbing, and constant protection of critical systems. Deterrence can be achieved also by active and clear response against the perpetrators once an attack has taken place.

The key to effective deterrence is the absence of undesirable behavior; deterrence is about making someone decide not to do something. Effective deterrence is based on the importance of timely detection and speedy response, usually in the form of a negative reinforcement. The absence of such a stimulus-response pattern can be seen as a factor that increases the likelihood that the actor(s) behind malicious attacks will continue with or increase their activities. It is highly significant that the Duke-attacks - that have been repeatedly taking place since 2008 - signal low Western cyber-deterrence. Repeated attacks by the same perpetrator with very similar tools strongly suggest a failure of both the passive and active deterrence methods.

The weakness of cyber-defenses causes public alarm and inter- and intra-organizational disruptions and loss of trust. Repeated successful attacks without effective counter-measures further catalyze a sense of insecurity, mistrust, and vulnerability. Such a repeated offense is a consequential demonstration that the initiative is with the attacker. Russia has been able to set the tempo of the events and has been able to show initiative in a highly public way without any response. The method used in the Duke-attacks has been known for years. It has not been plugged, nor have there been any unclassified counter-actions against the attacker(s). Especially after the attacks against NATO and targets in the US many have been left wondering why the West and the US have not responded in a visible way.

An effective system for attribution with a clear-cut response mechanism - e.g. thorough economic sanctions - can deter further attacks. Counter-attacking capabilities can be used to heighten this level of deterrence. However, it should be noted that this logic favors maintaining a certain level of continued attacks for capability-demonstrational purposes. The Dukes can be seen from this perspective: they allow for the Russian actor(s) to showcase its capability and intent without crossing the threshold of triggering strong counter reactions. It is also possible that the lack of clear Western response to the Dukes suggests that the Russian activities are part of their punishing and deterrence-establishing actions in response to the Western cyber-attacks on the Russian systems. However, it is more likely that the Western lack of open response is not only due to the attribution problem, there are also political sensitivities involved.

Using counter-measures, such as economic sanctions or retaliatory cyber-attacks, would make sense from the deterrence perspective. However, in the case of Russia - especially in the case of China - the US and the other Western states face obstacles. Slap on the wrist for attackers might further escalate the already tense relations. It would make it harder to do continue, for example, economic and trade relationships with actors that face multiple types of sanctions. Compared to China, the effective deterring of Russia is more politically and economically feasible. Yet, there are fears over Russian counter-actions against, for example, Western financial institutions. Russia could respond by further escalating the military situation in Ukraine or in Syria.


Level of Harm

The US has been using a harm scale for measuring the damage done and also indicating what counter measures should be appropriate. The most serious forms of attack can cause harm to the major cyber networks or to the critical infrastructure by disrupting the national power grid. These attacks also include thefts of important intellectual property, trade secrets, or otherwise benefiting from the serious disruptive activities.

However, measuring harm is never simple. The Dukes as well as other recent attacks indicate a level of disruption that goes beyond mere economic loss or compromised networks. An attack can cause mistrust, disloyalty, and other political consequences. For example, the stealing of data can be accompanied by sabotage. When the OPM data was breached allegedly by Chinese actors, the systems were compromised in such a way that could have granted the malicious actors capability to modify, delete and add personnel records.[vi] Attacks, where the targets do not know what has been done, lower the trust towards the organization and its data.

Trustworthiness is a major victim of the attacks. This can be seen as an unintended consequence of an attack that seems to target data. However, it is increasingly clear that one of the most important consequences of the attacks is actually the psychological uncertainty and loss of trust. In the case of the Duke attacks, access to the system is gained through someone in the organization opening a decoy document. Often, the spread happens through infection of someone's email and sending further emails through his or hers account to the friends and colleagues. This seems to have been the case with the hacking of the White House in 2014. Some evidence suggests that CozyDuke was used to infect first the Department of State and through it, the White House. Whether intended or not, such pattern of attack lowers the level of intra- and inter-organizational trust, loyalty, and solidarity.

The disruptive psychological effect is enhanced by the logic of 'robbing the same bank many times'. The repeated intrusions of the Western institutions lead to greater sense of vulnerability and unpredictability. The repeated intrusions to the Western realms of digitalized security test the sense of security, which is the reason of the existence of the institutions in the first place.

Possible sustained and large-scale cyber campaigns can be used to undermine the political infrastructure. The logic of this is similar to the strategic bombings during the World War II. The aerial bombardment campaigns were used to terrorize, disorganize, and disrupt the normalcy in enemy population centers. The maximization of the psychological effect is dependent on the ability to penetrate the air-defenses on regular yet unpredictable intervals. In a smaller scale, it can be suggested that the Dukes are meant to demonstrate the penetrability of the Western digital realms. It can be suggested that the attacks on NATO and the White House were meant to convey a sense of great skill and menacing power.

The West’s main response has been to strengthen a passive deterrence by better cyber-security. This means that the systems are in a constant reactive mode of experiencing different types of shocks, disruptions, and attacks. Ideally the systems would be in a continual state of resilience, self-monitoring, and self-repair. However, the question remains: Can such a high state of resilience be achieved without active means for cyber-deterrence such as economic sanctions or counter-attacks? The answer most likely is "no”. This is demonstrated by the Duke-cases which indicate a relative lack of resilience on the part of the Western systems.

[iv] The background organization is able to develop the code and analyze the captured data, which involves materials in several languages. This indicates a size of at least a few dozen workers.

[v] Other targets have a law enforcement function, such as Russian dealers of illicit substances.

Texts reflect the opinions of the individual authors