Kaspersky: 'Red October' Attacks Harvesting Mobile Device Data

Researchers at Kaspersky Lab are tracking a highly targeted cyberespionage campaign that they believe is responsible for stealing confidential data from a wide variety of government, scientific and energy sector organizations.

Called Red October by the Kaspersky research team, the attack operation is extremely sophisticated, rivaling the Flame and Gauss/Tilded cyberespionage attacks, but a lot more "finely tuned for the victims," according to Kaspersky.

Red October, or Rocra, has been active for the past five years. The malware toolkit contains 30 different modules but has managed to evade antivirus detection, Kaspersky said in its analysis of the Rocra attacks issued Monday. The attackers are harvesting data from mobile devices, computer systems and network equipment, Kaspersky said.

Hundreds of victims have been identified, from government agencies, scientific and research organizations, to energy and defense industries. Once the victim's system is infected, the attackers take complete control, stealthily collecting account credentials, sensitive documents and other data.

[Related: Information Security In A Post-Stuxnet World ]

"The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide," the Kaspersky researchers noted in the report. "During the past five years, the attackers collected information from hundreds of high-profile victims although it's unknown how the information was used."

The researchers used spearphishing attacks -- email messages with poisoned Microsoft Excel and Microsoft Word file attachments -- to trick victims into opening the documents and installing the malicious payload.

In addition to traditional workstations, the attackers appear to be stealing data from mobile devices including the Apple iPhone and Nokia and Windows Mobile smartphones, Kaspersky said. Data from removable disk drives is being copied and stolen and email databases from local Outlook storage are being reviewed and stolen from local network FTP servers, according to Kaspersky.

NEXT: Attacks Appear To Originate In China

The attack campaigns are designed to be highly targeted, picking individuals located in Eastern Europe, former Soviet bloc countries and Central Asia. Kaspersky said it also detected attacks in the U.S. The researchers said they uncovered more than 60 domain names located in Russia and Germany. The command and control servers are used to control infected systems and retrieve data from victims.

Kaspersky said the attacks appear to originate in China, but the security firm stopped short of calling it a nation-state-sponsored cyberespionage campaign. Kaspersky linked the exploits to Chinese hackers and the malware modules used in the targeted attacks to Russian-speaking operatives.

"The information stolen by the attackers is obviously of the highest level and includes geopolitical data, which can be used by nation states," Kaspersky said in its report. "Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere."

Kaspersky has been issuing reports on cyberespionage attacks and other malware campaigns believed to be nation-state-sponsored. The company was among the first to produce information on the Stuxnet rootkit designed, researchers believe, to target a uranium enrichment facility in Iran.

The company also has released extensive analysis on Flame, Duqu, Gauss and Shamoon, all malware families used in targeted attack campaigns and designed to steal data. Its researchers have linked a module in Flame to one used in the Stuxnet attack, making it appear that the attacks are coming from the same source.

PUBLISHED JAN. 14, 2013