Security researchers from Kaspersky Lab say they have discovered a huge cyber-espionage effort that targeted dozens of countries. The campaign has been underway for at least five years and is still active.
Ars Technica's Dan Goodwin reported,
"Researchers have uncovered an ongoing, large-scale computer espionage network that's targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.
Operation Red October, as researchers from antivirus provider Kaspersky Lab have dubbed the highly coordinated campaign, has been active since 2007, raising the possibility it has already siphoned up hundreds of terabytes of sensitive information. It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran."
The Next Web's Emil Protalinski added, "Among the victim organizations were embassies, consulates, trade centers, nuclear research centres, as well as oil and gas institutes. The vast majority of infections were based in Russia (Kaspersky identified 35), followed by 21 in Kazakhstan, 15 in Azerbaijan, 15 in Belgium, and 14 in India. Six infected machines were found in the US. 'During our investigation we’ve uncovered over 1000 unique files, belonging to about 30 different module categories,' Kaspersky’s report stated. 'The attackers managed to stay in the game for over five years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of terabytes by now.'"
According to Nicole Perlroth with The New York Times, "Kaspersky said what set the campaign apart was the fact that the attackers engineered their malware to steal files that have been encrypted with a classified software, called Acid Cryptofiler, that is used by several countries in the European Union and NATO to encrypt classified information."
Wired's Kim Zetter noted, "The attackers, believed to be native Russian-speakers, have set up an extensive and complex infrastructure consisting of a chain of at least 60 command-and-control servers that Kaspersky says rivals the massive infrastructure used by the nation-state hackers behind the Flame malware that Kaspersky discovered last year. But the researchers note that the Red October attack has no connection to Flame, Gauss, DuQu or other sophisticated cyberspy operations Kaspersky has examined in recent years. The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu."