A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies has been uncovered by the Kaspersky Lab, whose experts say the malware’s complexity could rival that of the notorious Flame virus.
The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list.
In addition to attacking traditional computer workstations, Rocra – a shortened name for Red October, the name given the network by the Kaspersky team – can steal data from smartphones, dump network equipment configurations, snatch files from removable disk drives, including those that had been erased, and scan through email databases and local network FTP servers.
Unlike other well-known highly automated cyber-espionage campaigns like Flame and Gauss, the Rocra’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even habit of document usage.
The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases.
The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the “mothership” control server.
That server’s location remains unknown.
Experts have uncovered over 1,000 modules belonging to 30 different module categories. While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. For example, retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.
The hackers’ primary objective is to gather information and documents that compromised governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups and trade and aerospace targets.
No details have been given so far as to who the attackers could be. However, there is strong technical evidence to indicate that the attackers have Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries.
The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines.
These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which is known to be used by organizations such as NATO, the European Parliament and the European Commission since 2011.
The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, according to Kaspersky. The Kaspersky Lab worked with a number of international organizations while conducting the investigation including the US, Romanian and Belorusian Computer Emergency Readiness Teams.
The EU has attempted to counter the huge rise in cyber-espionage by launching the European Cybercrime Centre, which opened on Friday.