Diplomatic and government agencies targeted in years-long cyberespionage operation

The attackers used custom malware to target organizations from 39 countries, Kaspersky Lab says

Unidentified attackers stole sensitive information from hundreds of diplomatic, government, research and military organizations from around the world as part of a newly uncovered cyberespionage campaign that started nearly six years ago. The operation involved the use of highly customized and sophisticated data theft malware, researchers from antivirus firm Kaspersky Lab said Monday.

Kaspersky researchers started investigating the ongoing operation, which they dubbed "Red October," in October 2012. However, based on timestamps found in associated malicious files and registration dates for some of the command-and-control domain names, the attack campaign might have started in May 2007, they said Monday in a blog post.

The targeted organizations include embassies, government agencies, military facilities, nuclear and aerospace research institutions, oil and gas companies and other high-profile institutions. Several hundred systems have been infected within the targeted organizations, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.

Many of the affected organizations are located in former USSR states such as Russia, Ukraine, Belarus, Kazakhstan, Armenia and Azerbaijan. However, victims have also been identified in the United States, Brazil, India, Belgium, Switzerland, Germany and other countries, with some specific exceptions such as China, Raiu said.

In total, affected organizations have been identified in 39 countries, according to a detailed analysis of the operation published Monday by Kaspersky Lab.

"We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains," Raiu said. There's no proof that this cyberespionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder, he said.

The spear-phishing attacks -- targeted email attacks -- associated with this cyberespionage operation distribute malicious documents that exploit known vulnerabilities in Microsoft Excel or Word to install a custom piece of malware on computers. It appears that the same exploits were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.

The exploits used in the Red October operation appear to have been created on computers that use Simplified Chinese character encoding, Raiu said. However, there's strong reason to believe that the distributed malware was created by Russian-speaking developers, he said.

It is unclear why the Red October attackers are reusing the Chinese exploits instead of creating their own, but one possibility is that they are attempting to trick investigators into believing that the attacks are associated with other campaigns, Raiu said.

Despite the fact that these exploits are known, some antivirus products don't detect them because they have been slightly modified to evade detection. It's also possible that other methods of distributing the malware are used, but they haven't been identified yet, Raiu said.

The malware installed on computers can download and execute additional encrypted modules, each with its own specific functionality. More than 1,000 modules have been identified so far by the Kaspersky researchers.

Once a system is infected, the attackers spend a few days performing reconnaissance by using different modules to gather information from the system such as, for instance, what applications are installed, what USB devices are attached, the browser history, the stored FTP and email credentials, and the available remote shares.

Additional modules are then deployed to steal data from USB drives, including deleted files, download contact lists, call history, calendar entries or SMS messages from connected mobile phones (Windows Mobile, iPhones and Nokia phones are supported); steal emails from local Outlook storage or remote IMAP/POP3 servers; take screenshots and record keystrokes; and more.

There are also modules for so-called "lateral movement" inside the network -- the infection of other systems on the network. These modules can scan for and exploit known vulnerabilities on other systems, download configuration data from routers, access local FTP servers and other types of servers with stolen credentials, and more.

The types of files targeted by the malware include: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr and acidssa.

The acid* files are particularly interesting because they are associated with a classified piece of software called "Acid Cryptofiler" that is used by government organizations to encrypt files and hard drives, Raiu said. Searches on Google will reveal that this software is used by entities like the European Union and NATO, he said.

For the most part, the Red October campaign has gone undetected for more than five years. Some of the malware's modules have been detected from time to time by antivirus products, but no one has ever put the pieces together to uncover the full extent of the operation until now, Raiu said.

The Kaspersky researchers believe that the Red October campaign is more sophisticated than previously documented cyberespionage campaigns like Aurora or Night Dragon. Some of those attacks might have used zero-day exploits -- exploits for previously unknown and unpatched vulnerabilities -- for distribution, but this attack is much more complex in terms of lateral movement and data exfiltration, Raiu said.

The Red October attackers spend a couple of days gathering information about an infected system and its network before deciding which modules to use and how. The attacks are more personal and the level of customization is greater, Raiu said.

The operation's command-and-control infrastructure is also sophisticated. The Kaspersky researchers discovered more than 60 domain names used for command-and-control purposes that are hosted on servers in Russia, Germany and other countries. The whole infrastructure is actually a chain of servers that act as proxies to hide the main and yet-to-be-identified "mothership" server, they said.

Given the length of the operation, the Kaspersky researchers believe that hundreds of terabytes of sensitive data have probably been stolen until now.

Raiu declined to name any of the affected organizations, but said that the company is open to working with the national CERTs (computer emergency response teams) from countries where victims were identified and provide them with the IP (Internet protocol) addresses of the victims.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachDesktop securityspywaremalwarekaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?