An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.
The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”
While most of the victims documented are in Eastern Europe or Central Asia, targets have been hit in 69 countries in total, including the U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan and the United Arab Emirates. Kaspersky calls the victims “high profile,” but declined to identify them other than to note that they’re government agencies and embassies, institutions involved in nuclear and energy research and companies in the oil and gas and aerospace industries.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”
The attackers, believed to be native Russian-speakers, have set up an extensive and complex infrastructure consisting of a chain of at least 60 command-and-control servers that Kaspersky says rivals the massive infrastructure used by the nation-state hackers behind the Flame malware that Kaspersky discovered last year.
The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu.
The malware the attackers use is highly modular and customized for each victim, who are assigned a unique ID that is hardcoded into the malware modules they receive.
“The victim ID is basically a 20-hex digit number,” Raiu says. “But we haven’t been able to figure out any method to extract any other information from the victim ID…. They are compiling the modules right before putting them into the booby-trapped documents, which are also customized to the specific target with a lure that can be interesting to the victim. What we are talking about is a very targeted and very customized operation, and each victim is pretty much unique in what they receive.”
The statistics on countries and industries are based on Kaspersky customers who have been infected with the malware and on victim machines that contacted a Kaspersky sinkhole set up for some of the command-and-control servers.
Raiu wouldn’t say how his company came across the operation, other than to note that someone asked the lab last October to look into a spear-phishing campaign and a malicious file that accompanied it. The investigation led them to uncover more than 1,000 malicious modules the attackers used in their five-year campaign.
Each module is designed to perform various tasks — extract passwords, steal browser history, log keystrokes, take screenshots, identify and fingerprint Cisco routers and other equipment on the network, steal email from local Outlook storage or remote POP/IMAP servers, and siphon documents from the computer and from local network FTP servers. One module designed to steal files from USB devices attached to an infected machine uses a customized procedure to find and recover deleted files from the USB stick.
A separate mobile module detects when a victim connects an iPhone, Nokia or Windows phone to the computer and steals the contact list, SMS messages, call and browsing history, calendar information and any documents stored on the phone.
Based on search parameters uncovered in some of the modules, the attackers are looking for a wide variety of documents, including .pdf files, Excel spreadsheets, .csv files and, in particular, any documents with various .acid extensions. These refer to documents run through Acid Cryptofiler, an encryption program developed by the French military, which is on a list of crypto software approved for use by the European Union and NATO.