Page 1 of 2
Researchers at Kaspersky Lab are tracking a highly targeted cyberespionage campaign that they believe is responsible for stealing confidential data from a wide variety of government, scientific and energy sector organizations.
Called Red October by the Kaspersky research team, the attack operation is extremely sophisticated, rivaling the Flame and Gauss/Tilded cyberespionage attacks, but a lot more "finely tuned for the victims," according to Kaspersky.
Red October, or Rocra, has been active for the past five years. The malware toolkit contains 30 different modules but has managed to evade antivirus detection, Kaspersky said in its analysis of the Rocra attacks issued Monday. The attackers are harvesting data from mobile devices, computer systems and network equipment, Kaspersky said.
Hundreds of victims have been identified, from government agencies, scientific and research organizations, to energy and defense industries. Once the victim's system is infected, the attackers take complete control, stealthily collecting account credentials, sensitive documents and other data.
[Related: Information Security In A Post-Stuxnet World]
"The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide," the Kaspersky researchers noted in the report. "During the past five years, the attackers collected information from hundreds of high-profile victims although it's unknown how the information was used."
The researchers used spearphishing attacks -- email messages with poisoned Microsoft Excel and Microsoft Word file attachments -- to trick victims into opening the documents and installing the malicious payload.
In addition to traditional workstations, the attackers appear to be stealing data from mobile devices including the Apple iPhone and Nokia and Windows Mobile smartphones, Kaspersky said. Data from removable disk drives is being copied and stolen and email databases from local Outlook storage are being reviewed and stolen from local network FTP servers, according to Kaspersky.
