A Kaspersk
Lab’s team has released information on what they are calling a “Red October” campaign – or – a cyber-espionage campaign which they characterize as “large” and has been active for “at least several years”.
Red October Summary:
October 2012: Kaspersky Lab’s Global Research ∓ Analysis Team started a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called «Red October» (after famous novel «The Hunt For The Red October»).
This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.
The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment.
The earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013). Besides that, registration data used for the purchase of several Command & Control (C&C) servers and unique malware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.
Main points of the advanced espionage network included:
1. it was focused on diplomatic and governmental agencies of various countries around the globe.
2. diverse architecture – the system used more than 60 domains on servers around the world and was able to route round command and control server failures or take-downs – meaning the authors were not easily able to “disconnected” from their tools – even if they were disconnected, they were able to use different channels to re-connect to the machines they wanted access to.
3. broad range of target devices: normal malware efforts tend to target a single line of devices – be that servers, or workstations, or mobile phones running a single operating system – this network was ablet o attack a wide range of equipment from networking infrastructure like Cisco, to Windows and Linux servers, Smartphones removable hard drives and much more.
4. attackers identified as possible Russian – coding clues and artifacts in registration data of domains, seized servers and such lead Kaspserky Lab to believe the authors of the system are a previously un-known Russian group.
Much more information on Kaspersky Lab Blog: SecureList.com