Researchers have uncovered yet another international espionage campaign that's so sophisticated and comprehensive that it could only have been developed with the backing of a well resourced country.

Inception, as the malware is dubbed in a report published Tuesday by Blue Coat Labs, targets devices running Windows, Android, BlackBerry, and iOS, and uses free accounts on Swedish cloud service Cloudme to collect pilfered data. Malware infecting Android handsets records incoming and outgoing phone calls to MP4 sound files that are periodically uploaded to the attackers. The researchers also uncovered evidence of an MMS phishing campaign designed to work on at least 60 mobile networks in multiple countries in an attempt to infect targeted individuals.

"There clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions that could be widespread and harmful," the Blue Coat report stated. "The complex attack framework shows signs of automation and seasoned programming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the attackers is extremely advanced, if not paranoid."

Red October surfaces

A separate report published Wednesday by researchers from Russia-based Kaspersky Lab has dubbed the espionage campaign Cloud Atlas. They say it's almost certainly an update of the Red October malware platform that previously infected hundreds of diplomatic, governmental, and scientific research organizations around the world. One of the most sophisticated so-called advanced persistent threats (APTs) ever discovered, Red October seemed to vanish once Kaspersky Lab researchers brought it to light. Wednesday's report said the Inception/Cloud Atlas platform appeared to be a reinvented version of Red October that was created after it went into hibernation. Bluecoat researchers also acknowledged ties to Red October.

The malware has targeted executives and high-ranking individuals in the finance, engineering, and oil industries as well as those in politics, embassies, and militaries. The top five targeted countries, according to Kaspersky Lab, are Russia, Kazakhstan, Belarus, India, and the Czech Republic, but Blue Coat said it was active in other countries, including Romania, Venezuela, Mozambique, Paraguay, Romania, and Turkey. It infects systems through spearphishing e-mails that entice victims to open files booby-trapped with code exploiting vulnerabilities in Microsoft Word.

The malware is also notable for its use of Cloudme and the way it went about communicating with the service. According to the Kaspersky Lab report:

Each malware set we have observed so far communicates with a different CloudMe account though. The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism. Of course, it should be possible to reconfigure the malware to use any Cloud-based storage service that supports WebDAV. Here's a look at one such account from CloudMe:

The data from the account:

The files stored in the randomly named folder were uploaded by the malware and contain various things, such as system information, running processes and current username. The data is compressed with LZMA and encrypted with AES, however, the keys are stored in the malware body which makes it possible to decrypt the information from the C&C.

God Save the Queen

A Visual Basic script drops files on victims' Windows-based hard drives. Each payload is encrypted with a unique key, making it impossible for it to be decrypted without a corresponding dynamic link library file. Attackers take other steps to cover their tracks. They use a proxy network composed of routers mostly located in South Korea to host command and control servers. One document uploaded to a Cloudme account controlled by the attackers was titled "Documento sin titulo," a possible indication that they spoke Spanish. A large majority of the hacked home routers based in South Korea suggests attackers were located in that part of the world. The attackers mostly worked between the hours of 8am to 5pm in the GMT + 2, suggesting ties to that or a nearby time zone.

Some of the comments in the Android malware are written in Hindi, leading some to think there are ties to India. Strings in the BlackBerry malware are in Arabic, indicating Middle Eastern origins. Yet another string in the BlackBerry code reads "God_Save_The_Queen".

"The attackers have left a slew of potential hints to their physical location," Blue Coat researchers Snorre Fagerland and Waylon Grange wrote. "However, it is extremely difficult to distinguish which of these indicators are legitimate clues and which are bread crumbs intentionally dropped to obscure their trail."

Similarities to Red October are numerous, according to Kaspersky Lab researchers. After adjusting for geopolitical changes that have occurred since Red October was launched, there's a clear overlap in the countries and organizations being targeted. In at least one case, Kaspersky Lab researchers said, a victim's computer has been attacked only two times in the past two years—once with Red October malware and the other with Cloud Atlas. Phishing lures used in the Red October and Inception/Cloud Atlas campaigns also share similar document title themes. Witness the following:

There are also striking technical similarities in the malware. For instance, both use a loader and a final payload that's stored encrypted and compressed in an external file. An interesting sidenote: Red October relied on the cryptographically challenged RC4 algorithm, while Inception/Cloud Atlas uses the Advanced Encryption Standard.

Inception/Cloud Atlas joins a growing roster of discovered malware that's so advanced and comprehensive that it could only have been developed with the funding of a nation-state. Two weeks ago, researchers from Symantec disclosed yet another highly sophisticated APT dubbed Regin that targeted a wide range of international targets in diverse industries for years. Earlier this week, Kaspersky Lab researchers announced the discovery of a Linux backdoor used in Turla, another espionage campaign targeting embassies and governments around the world.