Skip to main content

Kaspersky uncovers major cyber-espionage plot, 'Red October'

Researchers at security firm Kaspersky Lab have uncovered a sophisticated cyber-espionage network that has been targeting governments and major organisations across the world.

The campaign, which has been dubbed ‘Red October’, has reportedly been infecting computers since 2007 and is still active. It has been sending data to multiple command-and-control servers through a system that rivals 2012’s infamous Flame virus in sophistication.

Kaspersky experts have spent several months analysing the malware, which has successfully gathered data and intelligence from computer systems and network equipment belonging to diplomatic, governmental and scientific research organisations. Most infections have been found in Russian-speaking countries, leading researchers to believe the attackers are from the corresponding region.

35 infections have been found in Russia itself, with Kazakhstan and Azerbaijan suffering 21 and 15 attacks respectively. But the malware has also breached systems in India, Iran, the US, Italy, and Greece, among others.

As well as targeting traditional computer workstations, Red October, shortened to ‘Rocra’, is capable of stealing data from smartphones (with iPhone, Nokia and Windows Phone devices identified), network equipment belonging to Cisco, removal disk drives, email databases from Outlook, and local network FTP servers.

The information collected from these sources has been reused to conduct later attacks, with stolen credentials compiled in a list and used for guessing passwords in other locations. The attackers have created more than 60 domains and several server hosting locations – mainly in Germany and Russia – as part of the operation.

In a statement, Kaspersky said, "The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.

"The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment."

The episode provides 2013’s first major cyber-espionage incident. With wide-reaching data-stealing campaigns becoming increasingly familiar in the security world, the EU has attempted to combat the growing problem by launching the European Cybercrime Centre, which opened on Friday.