Researchers at Kaspersky Lab have uncovered an "advanced cyber espionage network" - dubbed Red October - that has been active for at least five years and is targeting diplomatic and government agencies.

At the request of an unnamed partner, Kaspersky investigated and uncovered Red October (or Rocra) in October. Since at least 2007, it has targeted organizations mostly in Eastern Europe, former USSR members, and countries in Central Asia, but the malware has also showed up in Western Europe and North America.

Kaspersky has identified hundreds of infections worldwide, with most - about 35 - hitting those in Russia. About 21 infections were in Kazakhstan, while Azerbaijan and Belgium both saw 15. In the U.S., Kaspersky has logged six infections.

Kaspersky found that those behind Rocra reuse collected data in later attacks. "For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations," the company said.

Meanwhile, Rocra has infiltrated not just traditional workstations, but mobile devices like smartphones - particularly those from Microsoft, Apple, and Nokia.

Rocra is also capable of "dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing email databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers," Kaspersky said.

Kaspersky said the data is has collected does not suggest a "nation-sponsored attack." The Flame and Stuxnet viruses, for example, were reportedly a joint U.S.-Israeli operation intended to stop Iran from expanding its nuclear program.

With Rocra, however, Kaspersky suggested that the exploits were the work of Chinese hackers, while the Rocra malware modules - which scan networks and collect data - appear to have been created by Russian-speaking operatives.

"The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide," Kaspersky said. "During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used. It is possible that the information was sold on the black market, or used directly."

At this point, Rocra is "still active," and data is being sent to multiple command-and-control servers, which "rivals in complexity the infrastructure of the Flame malware." Still, Kaspersky could not find any connection between Rocra and Flame.

"Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more 'personal' and finely tuned for the victims," Kaspersky concluded.

For more, see part one of Kaspersky's full paper on Red October. Part two, with detailed technical analysis of the modules involved in Rocra, will be published in the next few days.

For more from Chloe, follow her on Twitter @ChloeAlbanesius.

Further Reading

Security Reviews