A new revelation from a prominent Russian cyber research lab has set the cybersecurity world abuzz and has triggered a search worthy of a Tom Clancy novel.
After several months of investigation, Kaspersky Lab, a multinational computer security company based in Moscow, has announced the discovery of a new threat: a five-year-old cyber-espionage campaign that has successfully infiltrated computer networks worldwide at diplomatic, governmental, nuclear and energy groups along with scientific research organizations and aerospace industries.
The campaign, identified as “Rocra,” short for “Red October,” is still active, with data being sent to multiple command-and-control servers around the world. The virus is one of the most sophisticated piece of computer code since the Stuxnet virus that brought Iran’s nuclear-enrichment program to its knees. The malware was found on Russian networks in October 2012, hence its name.
“We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains,” said Costin Raiu a senior security researcher at Kaspersky Lab. “There’s no proof that this cyber-espionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder.”
Raiu said the primary targets are countries in Eastern Europe, the former USSR republics and Central Asia, although victims can be found in Western Europe and North America.
More than 1,000 program objects have been identified so far by the Kaspersky researchers.
The virus attacks sites and gathers intelligence from their networks, individual computer systems and mobile devices. It even gathers erased files from USB drives.
The latest threat doesn’t seem to be the work of a nation-state or terrorist group but of very talented mercenaries.
While only recently discovered, Red October has been operating since at least 2007.
Like the virus that attacked Israeli police computers last year, Red October gathers classified information though vulnerabilities in Microsoft’s Word and Excel programs.
It appears that parts of the same code were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.
Using these exploits, Red October assigned a number to each device it compromised with a 20-digit code. It then took the data it collected from each device and reported back to one of over 20 servers around the world.