Kaspersky Lab reveals international cyberspies
Cybercriminals focusing on Russia, the former Soviet Union, Eastern Europe and some Central Asian countries have stolen confidential data to gain access to computer systems, personal mobile devices and corporate networks, and geopolitical data.
In October 2012, Kaspersky Lab’s team of experts initiated an investigation following a series of attacks that targeted the computer networks of international diplomatic service agencies. A large-scale cyber espionage network was revealed during the investigation. According to Kaspersky Lab’s analysis report, operation Red October has been a sustained campaign dating back as far as 2007.
“We initiated the investigation once we received files from a partner of ours who wanted to remain anonymous. We soon understood that we were dealing with one of the most widespread cyber espionage campaigns that we had ever encountered,” Kaspersky’s chief malware expert, Vitaly Kamlyuk, told CNews.
“The size and variety of the malicious code was simply incredible, with over 1,000 unique files and 34 types of modules. Furthermore, we believe that we can only see part of a much bigger picture.”
The attackers infected around 300 computers and mobile devices over five years and stole hundreds of terabytes of data. To this end, they created more than 60 domain names and several server hosting locations in different countries, with the majority located in Germany and Russia. The location of the main server remains unknown.
There is strong evidence to suggest that the code was written by Russian programmers, as Russian words and slang appear in the texts of the virus modules. Kaspersky Lab has been unable to identify the hackers’ affiliation or goals, however.
The attackers have been focusing not only on diplomatic and governmental agencies, but also on research institutions, trade and military organizations, and the nuclear, oil, gas and aerospace industries. Files of various formats were stolen from infected systems. Experts also discovered files with “acid” extensions, which appear to refer to the classified Acid Cryptofiler software used by several European Union and NATO organizations.
Kaspersky Lab has chosen not to reveal the names of the institutions that have been targeted until the investigation has been completed.
To infect systems, the attackers sent targeted spear-phishing emails to victims; the emails were “tailored” to the interests of each recipient, Kamlyuk said in an interview with Vedomosti. Malicious emails included customized Trojan droppers and exploits that were rigged for security vulnerabilities inside Microsoft Office.
The exploits were created by other attackers and employed during different cyber-attacks – including those against Tibetan activists and military and energy sector targets in Asia.
Among the unique features of the malware is a module that enables the attackers to “resurrect” infected machines. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations, providing the attackers a foolproof way to regain access to a targeted system if the main malware body is discovered and removed, or if the system is patched. Furthermore, it enables the attackers to steal data from mobile devices.
Kaspersky Lab is continuing its investigation in collaboration with international organizations, law enforcement agencies and Computer Emergency Response Teams (CERTs).
“Over the past five years, cyber espionage campaigns have evolved from isolated attacks targeting specific vulnerabilities to industrial scale systems,” the executive director of Peak Systems, Maksim Emm, told Vedomosti. “You don’t have to conduct a targeted attack to obtain data, because the computers you need (say, in state agencies) are already infected, and access to them is sold by botnet (computer networks with breached defenses) owners,” said Emm.
“To protect your data, you need to take a complex approach and use both technical measures, including antivirus software (however, attackers often remain undetected if they know which software the victim is using), and organizational measures, including bans on opening links and attachments in emails received from unknown addresses and using the same storage devices for internal and external systems,” Kamlyuk said.
“The more echelons the cyber protection of an organization has, the higher the chance that the attack will be repelled,” said Emm. “These include timely software updates, using software only from reliable producers, antivirus software and, finally, the physical isolation of the computers with confidential information from those with Internet connections.”