Kaspersky Unearths “Red October” Cyber Espionage Campaign

Kaspersky Unearths “Red October” Cyber Espionage Campaign

Security chiefs at Kaspersky Labs have uncovered evidence of yet more cyber espionage, targeting dozens of governments, businesses, political groups, and other organizations.

Kaspersky said that the discovery was made following an exhaustive five-year investigation carried out alongside numerous Cyber Emergency Response Teams (CERTS). Details about the exact origin of the cyber espionage campaign remain scant, but all evidence points to the involvement of a Russian-speaking group that has been active for at least five years.

The campaign, which has been christened “Red October”, saw numerous governments, diplomatic agencies, nuclear facilities, oil, gas and other institutions targeted by a highly sophisticated phishing campaign that infected thousands of computers with deadly malware. Researchers said that the complex virus was designed to steal the most secure files on these systems, and was even capable of retrieving and then stealing deleted files.

“The primary focus of this campaign targets countries in Eastern Europe, former USSR republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America,” said the report.

Kaspersky says that the majority of victims were located in Eastern Europe, with 38 incidents of malware infection discovered in Russia, and another 21 being found in Kazakhstan. Elsewhere, 16 security breaches were found in Belgium, something that is probably connected to its role as host nation of the European Commission, while another six infections took place in the US.

The malware served to create what Kaspersky calls a global intelligence bot network, which was then used by hackers to spread the infection to other machines, creating what it termed a “snowball effect”.

“The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems,” explained Kaspersky.

“To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia.”

Map of countries affected by the “Red October” espionage campaign

Kaspersky hasn’t revealed much regarding what kind of data may have been stolen over the five years that the network was active, nor would it say if it suspected if any states were involved in the plot – but the number of unique features separating the malware from common infections would seem to suggest that the hackers had some kind of backing.

RELATED:  No More Ransom initiative releases tool to decrypt Wildfire variant of ransomware

Among these features were what Kaspersky terms a “Resurrection module”, that enables the malware to hide itself in Microsoft Office and Adobe Reader programs once its been detected, meaning it could have the ability to ‘re-infect’ machines even after its been removed. In addition, the malware also possessed the rather unique capacity to infect iPhones and Windows 8 smartphones, as well as regular PCs.

Researchers also discovered a number of cryptographic ‘spying’ modules that originate from sophisticated systems used by organizations such as the EU, Nato, the European Commission and the European Parliament.

Mike Wheatley

Mike Wheatley is a senior staff writer at SiliconANGLE. He loves to write about Big Data and the Internet of Things, and explore how these technologies are evolving and helping businesses to become more agile.

Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.

Got a news story or tip? Email Mike@SiliconANGLE.com.


Join our mailing list to receive the latest news and updates from our team.


Join our mailing list to receive the latest news and updates from our team.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!