Researchers from internet security company Kaspersky have uncovered an on-going espionage network that has been operating in at least 39 different countries including some of the territories that may otherwise have been considered as potential perpetrators – the US, Russia and Iran. The espionage campaign has been focused on governmental, scientific and diplomatic organisations.
Kaspersky Lab have identified the campaign as ‘Rocra’ which is short for Red October and say that the operation has been active since 2007:
The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.
With Red October having gone undiscovered for over 5 years now the amount of sensitive data that has been stolen could reach staggering levels, possibly in the range of hundreds of terrabytes, and will have come from computers, smartphones and other mobile devices.
The attack profiles being used are customised to the victim via over 1,000 distinct modules, some of which target files that have been encrypted using a system called Cryptofiler which is still used by Nato for protecting important data. The fact that such files have been targeted could suggest that it’s encryption methods have been cracked.
The command and control centre employed by Red October rivals what was seen with the Flame espionage malware that was used against Iran.
“This is a pretty glaring example of a multiyear cyber espionage campaign,” Kaspersky Lab expert Kurt Baumgartner told Ars. “We haven’t seen these sorts of modules being distributed, so the customized approach to attacking individual victims is something we haven’t seen before at this level.”
So far Red October has been spotted on more than 300 PCs and yet there is nothing to suggest who is behind it or whether it is a nation-state attack or not:
“There’s not enough evidence to link it to a nation-state, but certainly this level of interest and multi-year, ongoing campaign puts it up there with something like Flame and Duqu in the amount of effort it takes to seek out those targets and infiltrate the networks.”