MiniDuke cyberattack compromises 23 European governments, say researchers

x86 Assembler and zero days used to open back door

Kaspersky Lab and Hungarian cyber-hunters CrySys have discovered another apparent state-sponsored spy program the firms believe has successfully compromised systems inside at least 23 different governments, some as recently as a week ago.

Dubbed 'MiniDuke', it is about as odd a piece of malware as one can imagine, which these days usually spells trouble.

The researchers first noticed it as the unnamed malicious PDF malware exploiting a recent Reader zero-day flaw (CVE-2013-0640), reported by security firm FireEye on 12 February, which Adobe suggested version XI users counter pro tem by turning on 'protected' mode.

Now we can see why security firms were so worried about this particular zero-day, not least because the attacks appear to have worked spectacularly well.

In essence, MiniDuke is the back door with a difference. It's purpose is probably to allow the theft of sensitive documents, but it is the way it is built that really catches the attention.

To aid stealth and to stymie emulation security (which peers at code to work out what it's trying to do), its creators made extensive use of x86 Assembler, a programming language last used in malware in the early days of computer viruses up to the mid-1990s when a tiny memory footprint mattered.

Kaspersky describes this as "old school", but 'old world' might be closer to the mark. It is certainly unexpected and odd.

A second more bizarre element is a tiny but quite deliberate clue buried in the code itself that looks like a reference to the infamous, long-running and defunct '29A' (hex for '666') group of malware writers that disappeared from view about five years ago.

Are one or more of the mischievous 29A writers back in action? Surely not, but if they are MiniDuke suggests they are working for a state actor now or have a secret admirer.

Another interesting characteristic is the use of Twitter as a command and control channel, where MiniDuke accesses commands from numerous accounts identifying themselves with the string "uri!". A second backup channel was also found on Google.

According to Kaspersky and CrySis, MiniDuke appears to have compromised at least 59 unique victims in 23 countries, overwhelmingly European governments.

The full list of governments attacked is long: Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary to pick on only a few prominent ones. It also found victims in the US where it had been detected inside the networks of think tanks, a research institute and a healthcare provider, researchers said.

Targeting specific countries more than others (no word yet of which), a Kaspersky source told Techworld that the program had probably been operating for months rather than years.

"This is a very unusual cyberattack," said Kaspersky Lab founder and CEO, Eugene Kaspersky with the understatement of a sage.

"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."

Kaspersky's researchers themselves said it reminded them of Duqu and the more recent Red October malware, although this is probably more to do with unconscious emulation than a direct connection.

This much we can say. Cyberweapons concocted by states to attack other states can be big and bad (Flame), highly targeted (Stuxnet) and slightly odd (Duqu); for now MiniDuke must be placed towards in a decidedly strange wing of its own. It has been no less effective for all that.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityFireEyekaspersky lab

More about Adobe SystemsFireEyeGoogleKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place