A rogue group is covertly collecting top-secret data with an infrastructure rivaling Flame and Stuxnet
Russian antivirus firm Kaspersky Labs has uncovered a high-level cyber-espionage campaign that has been targeting government agencies, research institutions, and diplomats for the past five years to gather "classified information and geopolitical intelligence," per a report published on Monday. Here's what we know about operation "Red October," which has some hallmarks of government-sponsored C++ computer viruses Flame and Stuxnet that came before it:
What's going on exactly?
A sophisticated digital infrastructure that's utilizing a chain of more than 60 command-and-control servers is silently gathering data from high-profile targets around the world, and avoiding detection. Whoever is behind the operation has been compiling troves of top-secret documents and files from computers, smartphones, and external storage hardware like USB sticks since 2007. Kasperksy says the campaign is still active, with a complexity that rivals the Flame virus allegedly used by the U.S. and Israel to spy on Iran's nuclear efforts.
Who's being targeted?
Most of the targets are in Eastern Europe and Central Asia, but more than 60 countries have been hit; accounts have been compromised in the U.S., Australia, Ireland, Switzerland, Japan, Spain, and more. Kaspersky declined to disclose the identities of the targets, but Kim Zetter at Wired notes that the agencies and institutions involved relate to "nuclear and energy research and companies in the oil and gas and aerospace industries."
How does the attack work?
The Red October worm first infiltrates computers using email attachments — things like Word and Excel files. Once a computer is infected, that data is beamed back to a still-invisible command server mothership, which assigns each victim's computer a 20-hex digit code to identify it. This foothold, more alarmingly, can spread to mobile devices like smartphones, or even entire enterprise networks like Cisco to steal account information and passwords from databases. They also help hackers reinfect machines in case the malware is removed by antivirus scanners. The techniques and code likely have Chinese origins, and have been used in previous attacks targeting Tibetan activists and military in Asia. (Click here for a detailed walkthrough of how the attack works.)
Who's behind it?
Unlike Flame and Stuxnet, Red October probably isn't a government-sponsored enterprise. Rather, Kasperspy says the cybercriminals behind this worm are most likely based in Russia, and are looking to sell their intelligence for a premium on the black market to governments and others willing to pay.
What kind of information are they gathering?
They're taking everything: .pdf files, Excel spreadsheets, and documents with .acid extensions, which are run through Acid Cryptofiler, an encryption program used by the French military and NATO. The virus "can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism," says Eric Limer at Gizmodo. "Red October doesn't mess around."
What's being done to stop it?
The investigation is still ongoing. Per the report published Monday: "Kaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures."
Other stories from this topic:
- Instant Guide: Why the internet is incensed by the suicide of activist Aaron Swartz
- The Bullpen: Obama's war on hackers: 5 things you need to know
- Best Column: Why it's time to kill the online password