Meet MiniDuke: Espionage Malware Hitting European Governments

Posted: 6th March 2013

Details of the latest major malware threat to burst on to the global scene, “MiniDuke”, continue to surface. Its existence was first revealed last week by Kaspersky Lab when they published research conducted with a team from Budapest University’s Laboratory of Cryptography and System Security (CrySyS Lab). To summarize, the researchers reported that an Adobe Reader 0-day exploit distributed through malicious PDF documents has infected government and corporate targets in more than 20 countries and remains active.

The authors of this blog and members of the Recorded Future team have long discussed applications specifically for real-time surveillance of open source intelligence on cyber threats, so we’ll use this as an opportunity to arrange a “dashboard” on MiniDuke that our readers can consult for developments and new details on attackers, targets, and threat vectors.

MiniDuke History

The below timeline highlights events related to MiniDuke from 2011 to 2012. In the event that further evidence of past data breaches emerges, this timeline will fill in to reflect those historical events. The image below was captured on March 5, 2013; click to interact with the most up-to-date data.

A few key points available at the time of writing:

  • From Bitdefender press release: “The MiniDuke sample just discovered by Bitdefender researchers dates back to at least June 20, 2011, predating the oldest know variant — also discovered by Bitdefender — by almost a year.”
  • From the Register: “The 2011 vintage MiniDuke sample pulls the location of its command-and-control systems from an active Twitter account – a single encoded URL was tweeted on 21 February, 2012 – and lays dormant on infected computers if it can’t connect to Twitter.”
  • From CIO: “The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created…”

Accused and Attacked Countries

One of the impressive points about MiniDuke is its breadth of government targets globally. The image below, captured March 5, 2013, shows countries mentioned related to MiniDuke; it should be noted that some of targets, some are the locations of host servers, and others are accused attackers. Again, displayed information will update live as reporting mentions additional locations related to MiniDuke, and you can click to interact with the most up-to-date data.

Targets and Threat Vectors

We’ve already scoped out the history of MiniDuke and the locations known to be either affected by or related to the recently uncovered strand of malware. But what government agencies and corporate entities have been affected by MiniDuke? It’s not quite clear yet, but as targeted organizations are identified, tangential operations will want to know as early as possible to understand their exposure.

Thus far, in addition to the government agencies in those countries mentioned above, Kaspersky has stated that it believes a “research institute, two think tanks and healthcare provider in the US and an unspecified research foundation in Hungary” may have been affected. Like you, we await the identification of these organizations as well as any other targets that may emerge.

More Recent Zero Day Threats

Thinking about all of the above information, the other thing that we’d like to set up for our surveillance of these types of issues would be to keep an eye on reported zero day threats to different products and organizations. The below network graph displays organizations, technologies, products, and locations mentioned in relation to zero day threats. This can be revisited in order to see the latest seven days of information on these types of threats.

Follow U

Using Recorded Future, we could quickly set up similar applications for other such information security threats. You can visit all of the visualization shown above in the Recorded Future report Monitoring MiniDuke or see examples of the other cyber surveillance and analysis available in the Recorded Future Gallery.

Contact Recorded Future if you’d like to set up customized information security applications or data feeds for your business, and also, stop by the company’s upcoming webcast on supply chain security being presented along with Sourcemap.