This week the Moscow-based antivirus company Kaspersky Lab has revealed details of a five year long campaign that apparently targeted diplomatic, governmental and scientific-research organizations across the former Soviet Union. This attack used software known as Operation Red October, aka Rocra, a piece of malware designed to locate and make copies of both encrypted and non-encrypted documents in a target’s computer. This attack appears to have been spread across hundreds of victims since 2007 with an intent on gathering classified information as well as geopolitical intelligence.
Kaspersy chief malware expert Vitaly Kamluk spoke on the situation this week, noting that “there are about 300 computers infected that we know about.” These computers include those owned by embassies, government research centers, and aerospace facilities throughout former Soviet states as well as Belgium and India. Most of the attacks appear to have been directed at former Soviet states while Belgium and India each suffered a total of 15 infections, while the United States and Iran were confirmed to have suffered six and seven attacks, respectively.
The team at Kaspersy noted that though they’d found a set of 60 “command and control” servers throughout Germany and Russia that were responsible for these attacks, they each appeared to have been controlled by a sort of “mother ship” server which they’ve not yet located. Each of the attacks thus far appear to have been attached to Microsoft Word or Excel documents and delivered via email. When the document was downloaded and opened, a connection was made between the computer and one of the many command and control servers which then delivered the files necessary to collect secure data.
This Rocra malware was also spread with USB drives as well as through smartphones, not just through desktop machines. Mentions of Russian words throughout the discovered malware systems have been suggested to either point towards the software as being Russian in origin or placed deliberately to make the software appear to have come from Russia when in fact it was made by a different group entirely.
We’ll see more information on this relatively widespread attack in coming weeks, without a doubt. Stay tuned to SlashGear’s hacking tag to see all the action as it comes down.
[via Wall Street Journal]