MiniDuke cyberattack compromises 23 European governments, say researchers

x86 Assembler and zero days used to open back door

Kaspersky Lab and Hungarian cyber-hunters CrySys have discovered another apparent state-sponsored spy program the firms believe has successfully compromised systems inside at least 23 different governments, some as recently as a week ago.

Dubbed 'MiniDuke', it is about as odd a piece of malware as one can imagine, which these days usually spells trouble.

The researchers first noticed it as the unnamed malicious PDF malware exploiting a recent Reader zero-day flaw (CVE-2013-0640), reported by security firm FireEye on 12 February, which Adobe suggested version XI users counter pro tem by turning on 'protected' mode.

Now we can see why security firms were so worried about this particular zero-day, not least because the attacks appear to have worked spectacularly well.

In essence, MiniDuke is the back door with a difference. It's purpose is probably to allow the theft of sensitive documents, but it is the way it is built that really catches the attention.

To aid stealth and to stymie emulation security (which peers at code to work out what it's trying to do), its creators made extensive use of x86 Assembler, a programming language last used in malware in the early days of computer viruses up to the mid-1990s when a tiny memory footprint mattered.

Kaspersky describes this as "old school", but 'old world' might be closer to the mark. It is certainly unexpected and odd.

A second more bizarre element is a tiny but quite deliberate clue buried in the code itself that looks like a reference to the infamous, long-running and defunct '29A' (hex for '666') group of malware writers that disappeared from view about five years ago.

Are one or more of the mischievous 29A writers back in action? Surely not, but if they are MiniDuke suggests they are working for a state actor now or have a secret admirer.

Another interesting characteristic is the use of Twitter as a command and control channel, where MiniDuke accesses commands from numerous accounts identifying themselves with the string "uri!". A second backup channel was also found on Google.

According to Kaspersky and CrySis, MiniDuke appears to have compromised at least 59 unique victims in 23 countries, overwhelmingly European governments.

The full list of governments attacked is long: Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary to pick on only a few prominent ones. It also found victims in the US where it had been detected inside the networks of think tanks, a research institute and a healthcare provider, researchers said.

Targeting specific countries more than others (no word yet of which), a Kaspersky source told Techworld that the program had probably been operating for months rather than years.

"This is a very unusual cyberattack," said Kaspersky Lab founder and CEO, Eugene Kaspersky with the understatement of a sage.

"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."

Kaspersky's researchers themselves said it reminded them of Duqu and the more recent Red October malware, although this is probably more to do with unconscious emulation than a direct connection.

This much we can say. Cyberweapons concocted by states to attack other states can be big and bad (Flame), highly targeted (Stuxnet) and slightly odd (Duqu); for now MiniDuke must be placed towards in a decidedly strange wing of its own. It has been no less effective for all that.

Tags: Personal Tech, security, FireEye, kaspersky lab

JP Morgan to invest £150 million on boosting cyber security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot SecureAnywhere Business

The lightest, fastest, easiest-to-manage, and most effective endpoint protection.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.