A major cyber-attack that may have been stealing confidential documents since 2007 has been discovered by Russian researchers.
Kaspersky Labs told the BBC the malware targeted government
institutions such as embassies, nuclear research centres and oil and gas
institutes.
It was designed to steal encrypted files - and was even able to recover files that had been deleted.
One expert described the attack find as "very significant".
"It appears to be trying to suck up all the usual things -
word documents, PDFs, all the things you'd expect," said Prof Alan
Woodward, from the University of Surrey.
"But a couple of the file extensions it's going after are very specific encrypted files."
In a statement, Kaspersky Labs said: "The primary focus of
this campaign targets countries in Eastern Europe, former USSR
Republics, and countries in Central Asia, although victims can be found
everywhere, including Western Europe and North America.
"The main objective of the attackers was to gather sensitive
documents from the compromised organisations, which included
geopolitical intelligence, credentials to access classified computer
systems, and data from personal mobile devices and network equipment."
'Carefully selected'
In an interview with the BBC, the company's chief malware researcher Vitaly Kamluk said victims had been carefully selected.
"It was discovered in October last year," Mr Kamluk said.
"We initiated our checks and quite quickly understood that is this a massive cyber-attack campaign.
"There were a quite limited set of targets that were affected
- they were carefully selected. They seem to be related to some
high-profile organisations."
Red October - which is named after a Russian submarine
featured in the Tom Clancy novel The Hunt For Red October - bears many
similarities with Flame, a cyber-attack discovered last year.
Like Flame, Red October is made up of several distinct modules, each with a set objective or function.
"There is a special module for recovering deleted files from USB sticks," Mr Kamluk said.
"It monitors when a USB stick is plugged in, and it will try
to undelete files. We haven't seen anything like that in a malware
before."
Also unique to Red October was its ability to hide on a machine as if deleted, said Prof Woodward.
"If it's discovered, it hides.
"When everyone thinks the coast is clear, you just send an email and 'boof' it's back and active again."
Cracked encryption
Other modules were designed to target files encrypted using a
system known as Cryptofiler - an encryption standard that used to be in
widespread use by intelligence agencies but is now less common.
Prof Woodward explained that while Cryptofiler is no longer
used for extremely sensitive documents, it is still used by the likes of
Nato for protecting privacy and other information that could be
valuable to hackers.
Red October's targeting of Cryptofiler files could suggest its encryption methods had been "cracked" by the attackers.
Like most malware attacks, there are clues as to its origin -
however security experts warn that any calling cards found within the
attack's code could in fact be an attempt to throw investigators off the
real scent.
Kaspersky's Mr Kamluk said the code was littered with broken, Russian-influenced English.
"We've seen use of the word 'proga' - a slang word common
among Russians which means program or application. It's not used in any
other language as far as we know."
But Prof Woodward added: "In the sneaky old world of
espionage, it could be a false flag exercise. You can't take those
things at face value."
Kaspersky's research indicated there were 55,000 connection
targets within 250 different IP addresses. In simpler terms, this means
that large numbers of computers were infected in single locations -
possibly government buildings or facilities.
A 100-page report into the malware is to be published later this week, the company said.
No comments:
Post a Comment