Diplomatic and government agencies targeted in years-long cyberespionage operation
The attackers used custom malware to target organizations from 39 countries, Kaspersky Lab says
IDG News Service - Unidentified attackers stole sensitive information from hundreds of diplomatic, government, research and military organizations from around the world as part of a newly uncovered cyberespionage campaign that started nearly six years ago. The operation involved the use of highly customized and sophisticated data theft malware, researchers from antivirus firm Kaspersky Lab said Monday.
Kaspersky researchers started investigating the ongoing operation, which they dubbed "Red October," in October 2012. However, based on timestamps found in associated malicious files and registration dates for some of the command-and-control domain names, the attack campaign might have started in May 2007, they said Monday in a blog post.
The targeted organizations include embassies, government agencies, military facilities, nuclear and aerospace research institutions, oil and gas companies and other high-profile institutions. Several hundred systems have been infected within the targeted organizations, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.
Many of the affected organizations are located in former USSR states such as Russia, Ukraine, Belarus, Kazakhstan, Armenia and Azerbaijan. However, victims have also been identified in the United States, Brazil, India, Belgium, Switzerland, Germany and other countries, with some specific exceptions such as China, Raiu said.
In total, affected organizations have been identified in 39 countries, according to a detailed analysis of the operation published Monday by Kaspersky Lab.
"We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains," Raiu said. There's no proof that this cyberespionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder, he said.
The spear-phishing attacks -- targeted email attacks -- associated with this cyberespionage operation distribute malicious documents that exploit known vulnerabilities in Microsoft Excel or Word to install a custom piece of malware on computers. It appears that the same exploits were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.
The exploits used in the Red October operation appear to have been created on computers that use Simplified Chinese character encoding, Raiu said. However, there's strong reason to believe that the distributed malware was created by Russian-speaking developers, he said.
It is unclear why the Red October attackers are reusing the Chinese exploits instead of creating their own, but one possibility is that they are attempting to trick investigators into believing that the attacks are associated with other campaigns, Raiu said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts