Security chiefs at Kaspersky Labs have uncovered evidence of yet more cyber espionage, targeting dozens of governments, businesses, political groups, and other organizations.
Kaspersky said that the discovery was made following an exhaustive five-year investigation carried out alongside numerous Cyber Emergency Response Teams (CERTS). Details about the exact origin of the cyber espionage campaign remain scant, but all evidence points to the involvement of a Russian-speaking group that has been active for at least five years.
The campaign, which has been christened “Red October”, saw numerous governments, diplomatic agencies, nuclear facilities, oil, gas and other institutions targeted by a highly sophisticated phishing campaign that infected thousands of computers with deadly malware. Researchers said that the complex virus was designed to steal the most secure files on these systems, and was even capable of retrieving and then stealing deleted files.
“The primary focus of this campaign targets countries in Eastern Europe, former USSR republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America,” said the report.
Kaspersky says that the majority of victims were located in Eastern Europe, with 38 incidents of malware infection discovered in Russia, and another 21 being found in Kazakhstan. Elsewhere, 16 security breaches were found in Belgium, something that is probably connected to its role as host nation of the European Commission, while another six infections took place in the US.
The malware served to create what Kaspersky calls a global intelligence bot network, which was then used by hackers to spread the infection to other machines, creating what it termed a “snowball effect”.
“The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems,” explained Kaspersky.
“To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia.”
Kaspersky hasn’t revealed much regarding what kind of data may have been stolen over the five years that the network was active, nor would it say if it suspected if any states were involved in the plot – but the number of unique features separating the malware from common infections would seem to suggest that the hackers had some kind of backing.
Among these features were what Kaspersky terms a “Resurrection module”, that enables the malware to hide itself in Microsoft Office and Adobe Reader programs once its been detected, meaning it could have the ability to ‘re-infect’ machines even after its been removed. In addition, the malware also possessed the rather unique capacity to infect iPhones and Windows 8 smartphones, as well as regular PCs.
Researchers also discovered a number of cryptographic ‘spying’ modules that originate from sophisticated systems used by organizations such as the EU, Nato, the European Commission and the European Parliament.