Diplomatic and government agencies targeted in years-long cyberespionage operation
Despite the fact that these exploits are known, some antivirus products don't detect them because they have been slightly modified to evade detection. It's also possible that other methods of distributing the malware are used, but they haven't been identified yet, Raiu said.
The malware installed on computers can download and execute additional encrypted modules, each with its own specific functionality. More than 1,000 modules have been identified so far by the Kaspersky researchers.
Once a system is infected, the attackers spend a few days performing reconnaissance by using different modules to gather information from the system such as, for instance, what applications are installed, what USB devices are attached, the browser history, the stored FTP and email credentials, and the available remote shares.
Additional modules are then deployed to steal data from USB drives, including deleted files, download contact lists, call history, calendar entries or SMS messages from connected mobile phones (Windows Mobile, iPhones and Nokia phones are supported); steal emails from local Outlook storage or remote IMAP/POP3 servers; take screenshots and record keystrokes; and more.
There are also modules for so-called "lateral movement" inside the network -- the infection of other systems on the network. These modules can scan for and exploit known vulnerabilities on other systems, download configuration data from routers, access local FTP servers and other types of servers with stolen credentials, and more.
The types of files targeted by the malware include: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr and acidssa.
The acid* files are particularly interesting because they are associated with a classified piece of software called "Acid Cryptofiler" that is used by government organizations to encrypt files and hard drives, Raiu said. Searches on Google will reveal that this software is used by entities like the European Union and NATO, he said.
For the most part, the Red October campaign has gone undetected for more than five years. Some of the malware's modules have been detected from time to time by antivirus products, but no one has ever put the pieces together to uncover the full extent of the operation until now, Raiu said.
The Kaspersky researchers believe that the Red October campaign is more sophisticated than previously documented cyberespionage campaigns like Aurora or Night Dragon. Some of those attacks might have used zero-day exploits -- exploits for previously unknown and unpatched vulnerabilities -- for distribution, but this attack is much more complex in terms of lateral movement and data exfiltration, Raiu said.
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!