Kaspersky Labs, an online security firm, announced Monday that for at least five years, a cyber-espionage campaign has breached computer networks at diplomatic, government and scientific research organizations.
A campaign called “Red October,” or “Rocra” for short, has malicious software actively sending data to “multiple command-and-control servers.” Command-and-control servers are data centers that can remotely manage computers that run malware. Kaspersky’s report says “Red October’s” configuration rivals the Flame malware that made headlines last year, when it was discovered to have infected computers in Iran.
“It’s a professional, multi-year cyber-espionage campaign,” Kurt Baumgartner, senior security researcher at Kaspersky Labs, tells CBSNews.com.
The “Red October” malware has some peculiar characteristics. One of the most interesting finding, Baumgartner tells CBSNews.com, is that the types of targets tend to be geopolitical targets, like government agencies, embassies, nuclear research centers and the military.
Another one of the malware’s unique functions lets it “resurrect” infected machines by embedding a plug-in inside of software like Adobe Reader or Microsoft Office. Even if the malware is removed or a patch is installed, hackers can still access the computer because of this work around.
The malware isn’t limited to traditional computers. Mobile devices like Windows Phones, iPhones and Nokia phones are also at risk.
Kaspersky observed 60 domains and was able to record and log six so-called “sinkhole” domains. Baumgartner says Kaspersky observed tens of thousands of malicious communications coming from hundreds of domains. It can be speculated that the number would be in the thousands, if all of the domains were logged.
Currently, there are no clues as to who is responsible for the operation and there is no evidence that suggest the activities are state sponsored. However, Kaspersky notes two main factors:
- The exploits appear to have been created by Chinese hackers.
- The malware modules have been created by Russian-speaking operatives
“We’re not saying they are Russian hackers, but the developers are of Russian-speaking origin,” Baumgartner says.
Kaspersky Labs finds that the attackers have been at work since at least 2007 — mostly targeting Eastern Europe, but there are reports of the cyber attacks in North America and Western European countries like Switzerland and Luxembourg.
Research suggests that the hackers are interested specifically in data from European Union government entities, based on the type of encryption software packets that were targeted.The encryption type tends to be used mainly by the E.U.
“It was as if they were looking for that specific information,” Baumgartner tells CBSNews.com.
Kaspersky Lab’s report on the “Red October” campaign can be found on Securelist.com.