Researchers say the cyber attack has been in operation since 2007 – and is still running
Operation described as ‘massive’ and has stolen ‘several terabytes’ of data
Security firm which discovered the attacks claims there is ‘strong technical evidence the attackers have Russian-speaking origins’- but say a private firm or rogue nation could be behind the network.
Targets included diplomatic and governmental agencies of various countries across the world, research institutions, energy and nuclear groups, and trade and aerospace firms
A major cyber-attack that has been stealing information from high level government computers around the world since 2007 has been discovered.
Kaspersky Labs, which made the discovery, said in addition to diplomatic and governmental agencies of various countries across the world, Red October also targeted research institutions, energy and nuclear groups, and trade and aerospace targets.
The firm even said the malware was used to infiltrate smartphones of government workers to electronically steal information.
The full extent of the Red October operation is revealed in this infographic, showing how it has hit countries across the globe
WHAT HAS BEEN STOLEN?
The main objective of the attackers was to gather sensitive documents from the compromised organisations.
This included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
Overall, Kaspersky said over 7 terabytes, or 7,000GB data has been stolen.
The primary focus of the campaign was targeting countries in eastern Europe.
‘Former USSR Republics and countries in Central Asia were targeted, although victims can be found everywhere, including Western Europe and North America’, said Kaspersky Lab, an antivirus software firm which made the discovery.
‘The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment,’
Red October, which has been active since at least 2007, appears to collect files encrypted with software used by several entities from the European Union to Nato.
Kaspersky said Red October also infected smartphones, including iPhones, Windows Mobile and Nokia handsets.
It is believed to be still operating, although since the research was published, the attackers are believed to have started dismantling the system to protect their identities.
‘The project started in October 2012, we received a suspicious executable from a partner,’ Vitaly Kamluk, Chief Malware Expert at Kaspersky Lab told MailOnline.
‘We checked and began to understand what we had was quite massive – we found 1,000 different files in a few weeks, each of them a personalised email.’
Mr Kamluk said the attacks were highly customised.
‘There are a very limited number of machines, around 1,000 around the world, but every target is carefully selected.’
‘We extracted language used and found Broken English was used, with Russian words thrown in, such as Proga, commonly used among Russian programmers.
‘However, we are not pointing fingers at Russia – just that Russian language has been spotted.
‘It could be any organisation or country behind this, it could be nation states or a private business or criminal group.
HOW RED OCTOBER WORKS
One of the fake emails used to infect computers
Red October is a malware attack.
Initially the malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the various applications.
Intended targets received personalised correspondence based on gathered intelligence on individual people (an example is on the right).
These attacks comprised of two major stages:
Initial infection: Right after the victim opens the malicious document on a vulnerable system, the embedded malicious code initiates the setup of the main Red October software on the machine.
This handles further communication with the master servers run by the hackers, and can survive the computer being restarted.
Spying: Next, the system receives a number of additional spy modules from the hacker’s server, including modules to handle infection of smartphones – the team said iPhones, Windows phones and Nokia handsets were seen on the network.
The specific modules are customised for each mobile depending on the infomration the hackers wanted.
The main purpose of the spying modules is to steal information.
All gathered information is packed, encrypted and only then transferred to the Red October command servers.
Other modules were designed to target files encrypted using a system known as Cryptofiler – an encryption standard that used to be in widespread use by intelligence agencies but is now less common
The campaign, identified as ‘Rocra’, short for ‘Red October’, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware.
Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses.
Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece.
‘There is senstitive geopolitical information being stolen, which is very valuable,’ said Mr Kamluk.
Kaspersky estimate there were 20-30 developers working full time on this, and all were ‘very experienced programmers’.
By Mark Prigg
PUBLISHED: 14:39 GMT, 16 January 2013 | UPDATED: 14:56 GMT, 16 January 2013
Find this story at 16 Januar 2013
© Associated Newspapers Ltd