Hackers target European governments using MiniDuke malware

Cyber criminals have targeted government officials in more than 20 countries in a complex online assault rarely seen since the turn of the millennium. The attack, dubbed ‘MiniDuke’ by researchers, has infected government computers in an attempt to steal geopolitical intelligence, according to security experts.

MiniDuke is the latest in a string of cyber-attacks aimed at governments and other high-profile institutions. The latest security alert follows closely on from the revelations about the suspected Chinese hacking of western defence and media organisations. Security experts are, however, uncertain who is responsible for the latest attacks. Kaspersky Lab, the cyber-security firm which discovered MiniDuke, said the attackers had servers based in Panama and Turkey but an examination of the code revealed no further clues about its origin.

Many governments have been targeted including those of Ireland, Romania, Portugal, Belgium and the Czech Republic. The malware is also known to have compromised the computers of the prominent CrySys research foundation in Hungary, two think tanks, and an unnamed healthcare provider in the US.

The victims’ computers were infected when they opened a cleverly disguised Adobe PDF attachment to an email. The document would be tailored specifically to its target, according to the researchers, as unsuspecting government victims were more likely to open an attachment that mentioned foreign policy, a human rights seminar, or NATO membership plans.

According to Eugene Kaspersky, founder and chief executive of Kaspersky Lab, this was a significant attack and mimicked the type old-school cyber-attack of the late twentieth century:

“I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world.”

What made MiniDuke so sophisticated was that the operators used an unusual approach to communicate with infected machines. The virus was programmed to search for Tweets from specific Twitter accounts that contained instructions for controlling those personal computers. In cases where they could not access those Tweets, the virus ran Google searches to receive its marching orders.

Once opened, the MiniDuke malware would install itself on a victim’s computer. It is not known what information the attackers were targeting, but the interest in such high-profile victims undoubtedly raises suspicions in the opinion of Vitali Kamluk, chief malware expert at Kaspersky Lab, and Kurt Baumgartner, a senior security researcher with Kaspersky:

“This is a unique, fresh and very different type of attack. The technical indicators show this is a new type of threat actor that hasn’t been reported on before.”

If you would like help with security audits, penetration testing or web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].