Int'l cyber-espionage campaign bared

For the last five years, a high-level cyber-espionage campaign has been using malware to infect targeted computer systems of diplomatic, government and research organizations, a security vendor said this week.

 

Kaspersky Lab said the "Red October" campaign gathered data and intelligence from mobile devices, computer systems and network equipment.

 

"The campaign, identified as 'Rocra,' short for 'Red October,' is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007," it said in a blog post.

 

"With Rocra, the attackers managed to stay in the game for over five years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now," it added.

 

It said the malware appeared to target specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, Western Europe and North America.

 

Also, Kaspersky said the attackers use the information they harvested from infected networks in later attacks.

 

"To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server," it said.

 

Also, the attackers created a multi-functional framework that can apply a quick extension of the features that gather intelligence.

 

Such a system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.

 

"Based on registration data of the C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins," Kaspersky said.

 

Mobile devices

 

The campaign can steal data from mobile devices, such as smartphones including the iPhone, Nokia, and Windows Mobile.

 

It can also dump enterprise network equipment configuration (Cisco); hijack files from removable disk drives and even recover deleted files using a custom file recovery procedure.

 

Targets

 

Kaspersky said the campaign appears to target agencies or organizations in:

 

Government

Diplomatic/embassies

Research institutions

Trade and commerce

Nuclear/energy research

Oil and gas companies

Aerospace

Military

 

"During the past months, we've counted several hundreds of infections worldwide - all of them in top locations such as government networks and diplomatic institutions. The infections we've identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg," Kaspersky said.

 

It listed the countries with the most infections as:

 

Russian Federation, 35

Kazakhstan, 21

Azerbaijan, 15

Belgium, 15

India, 14

Afghanistan, 10

Armenia, 10

Iran, 7

Turkmenistan, 7

Ukraine, 6

United States, 6

Vietnam, 6

Belarus, 5

Greece, 5

Italy, 5

Morocco, 5

Pakistan, 5

Switzerland, 5

Uganta, 5

United Arab Emirates, 5

 

Created by Chinese, Russian-speaking hackers?

 

Kaspersky said the information it collected so far indicated the exploits appear to have been created by Chinese hackers, while the Rocra malware modules have been created by Russian-speaking operatives.

 

No sign of state-sponsored attack

 

Kaspersky said there is presently no evidence linking this with a nation-state sponsored attack.

 

However, it said the information stolen by the attackers is "obviously of the highest level and includes geopolitical data which can be used by nation states."

 

"Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere," it said. — TJD, GMA News