Cybersleuths Uncover 5-Year Spy Operation Targeting Governments, OthersAn advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.
The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”
While most of the victims documented are in Eastern Europe or Central Asia, targets have been hit in 69 countries in total, including the U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan and the United Arab Emirates. Kaspersky calls the victims “high profile,” but declined to identify them other than to note that they’re government agencies and embassies, institutions involved in nuclear and energy research and companies in the oil and gas and aerospace industries.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”
The attackers, believed to be native Russian-speakers, have set up an extensive and complex infrastructure consisting of a chain of at least 60 command-and-control servers that Kaspersky says rivals the massive infrastructure used by the nation-state hackers behind the Flame malware that Kaspersky discovered last year.
But the researchers note that the Red October attack has no connection to Flame, Gauss, DuQu or other sophisticated cyberspy operations Kaspersky has examined in recent years.
The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu.
The malware the attackers use is highly modular and customized for each victim, who are assigned a unique ID that is hardcoded into the malware modules they receive.
The statistics on countries and industries are based on Kaspersky customers who have been infected with the malware and on victim machines that contacted a Kaspersky sinkhole set up for some of the command-and-control servers.