A cyberespionage network has, since 2007, been stealing confidential data from private industry and government and research organisations in Eastern Europe, former Soviet republics and Central Asian countries, a security firm has reported.
The network, called "Red October", has also stolen sensitive information from organisations in Western Europe and the US, but the focus was in the other regions, Kaspersky Lab said. Most victims were diplomatic and government organisations, scientific research institutions, nuclear and energy groups, private trade groups and companies in the aerospace industries.
Kaspersky said it did not know whether the operation was state-sponsored or a criminal group gathering information to sell to the highest bidder. "The most probable scenario is for the end-customer to be a nation-state," Roel Schouwenberg, a senior researcher at Kaspersky Lab, told CSO Online.
Kaspersky discovered the network last year during an investigation stemming from a series of attacks against the computer networks of diplomatic service agencies.
The attackers, believed to have "Russian-speaking origins," used malware with a unique modular architecture comprising of malicious extensions, information-stealing code and backdoor Trojans. The malware is called Rocra, which is short for Red October.
The network compromised systems of hundreds of victims across 69 companies, Schouwenberg said. "It’s likely there are more victims out there that we’re currently not aware of."
Computer systems fell as information stolen from one was used to penetrate another. For example, stolen credentials were compiled in a list and then used to guess passwords or phrases to gain access to additional systems. The attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority in Germany and Russia. The majority of servers were used as proxies, in order to hide the command-and-control server at the core of the operation.
The stolen data had a wide variety of extensions. One extension not seen as a target before was "acid," which appears to be documents encrypted with classified software called "Acid Cryptofiler." This software is in use by both the European Union and the North Atlantic Treaty Organisation.
"Previously targeted attacks that have been analysed and reported did not focus on stealing files that were encrypted with Acid Cryptofiler," Schouwenberg said.
The attackers used spear-phishing emails to lure victims into opening attachments that exploited vulnerabilities in Microsoft Office and Excel applications.
The exploit code had been used before in cyberattacks on Tibetan activists and military and energy-related targets in Asia, Kaspersky said. The embedded executable was unique to Rocra.
Among the unusual attributes of the Rocra malware was a "resurrection" module embedded as a plug-in in Adobe Reader and Microsoft Office applications. The plug-in made it possible for attackers to regain control of a system after the main body of the malware was discovered and removed.
In addition, the malware was capable of stealing data from mobile devices, as well as PCs. Smartphone targets included the iPhone, Nokia devices and phones running Windows Mobile.
Kaspersky conducted the investigation in collaboration with international law enforcement agencies and the Computer Emergency Response Team in Romania and Belarus.
According to the latest report from the US Defence Security Service, cyberespionage technology is more sophisticated than ever and its use against US targets is growing, During fiscal years 2010-11, reports of attempts to steal sensitive or classified information and technology rose 75%.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers