All the latest UK technology news, reviews and analysis

CosmicDuke hackers caught hitting UK government systems

04 Jul 2014
White hats uncover mysterious CosmicDuke mongrel family of malware

Researchers from Kaspersky Labs have uncovered a wave of attacks leveraging the recently discovered CosmicDuke malware, warning that it has already infected more than 10 UK systems.

CosmicDuke is a new form of malware that combines the infamous MiniDuke and ancient Cosmu attack. It was first uncovered by researchers at F-Secure on Thursday.

It was originally unclear if the malware was being used for real-world attacks. However, on Friday Kaspersky Lab researchers reported finding evidence that the malware is being used to mount an ongoing advanced hack campaign.

“Recently, we became aware of an F-Secure publication on the same topic under the name ‘CosmicDuke’. During the analysis, we were able to obtain a copy of one of the CosmicDuke command-and-control servers,” read the report.

“One of the CosmicDuke servers we analysed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs.”

The UK is the fourth worst affected country with Kaspersky detecting 14 infections. Above it the United States, Russia and Georgia respectively suffered 34, 61 and 84 CosmicDuke infections.

The malware grants hackers a variety of powers and installs a number of attack tools including a keylogger, clipboard stealer, screenshotter and password stealers for a variety of popular chat, email and web browsing programs.

Kaspersky reported that the victims included governments, diplomatic bodies, energy  companies, telecom operators, military departments and contractors and “individuals involved in the traffic and selling of illegal and controlled substances”.

The Kaspersky researchers said the MiniDuke malware is particularly dangerous as it leverages several advanced techniques to hide its activities.

“MiniDuke/CosmicDuke is protected with a custom obfuscated loader, which heavily consumes CPU resources for three to five minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software,” explained the report.

“Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardised code, which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.”

F-Secure security analyst Sean Sullivan told V3 the firm has so far only caught decoy document samples of CosmicDuke and is yet to see it used in a real-world attack, but added that there is evidence to suggest it is being used by state-sponsored groups.

"It appears to be state sponsored. Or else it is an organised actor – perhaps a contractor who is gathering information to sell to a government. At the moment, crimeware which targets consumers is under attack by international law enforcement so it is quite possible that the displaced crimeware vendors found a new buyer of information."

Sullivan cited CosmicDuke as proof firms must investment in cyber security, warning them: "You are a target. Keep calm and secure your stuff. For IT managers: ask for the security budget you need, and fight for it. There is more evidence than ever that letting cost dictate security is bad management."

CosmicDuke is one of many advanced threats uncovered recently. Symantec reported on Wednesday that the infamous Dragonfly hackers have returned and are targeting a number of Western critical infrastructure companies with cyber attacks capable of physically sabotaging their systems.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Head of Technical Architecture to £90k West London

Our client helps large organizations lower the cost of...

C# .NET Technical Lead / Architect - Greenfield Projects

C# .NET Technical Lead / Architect - Greenfield Projects...

PHP Developer £45K + Benefits

Austin Fraser has the pleasure of appointing a number...

Service Delivery Technician

36.25 hours per week Location: Training and...
To send to more than one email address, simply separate each address with a comma.