Russian anti-virus firm Kaspersky Labs has uncovered a high-level cyber-espionage campaign that has been targeting government agencies, research institutions, and diplomats for the past five years to gather "classified information and geopolitical intelligence," per a report published on Monday. Here's what we know about operation "Red October," which has some hallmarks of government-sponsored C++ computer viruses Flame and Stuxnet that came before it:
What's going on exactly?
A sophisticated digital infrastructure that's utilizing a chain of more than 60 command-and-control servers is silently gathering data from high-profile targets around the world, and avoiding detection. Whoever is behind the operation has been compiling troves of top-secret documents and files from computers, smartphones, and external storage hardware like USB sticks since 2007. Kaspersky says the campaign is still active, with a complexity that rivals the Flame virus allegedly used by the U.S. and Israel to spy on Iran's nuclear efforts.
Who's being targeted?
Most of the targets are in Eastern Europe and Central Asia, but more than 60 countries have been hit; accounts have been compromised in the U.S., Australia, Ireland, Switzerland, Japan, Spain, and more. Kaspersky declined to disclose the identities of the targets, but Kim Zetter at Wired notes that the agencies and institutions involved relate to "nuclear and energy research and companies in the oil and gas and aerospace industries."
How does the attack work?
The Red October worm first infiltrates computers using email attachments — things like Word and Excel files. Once a computer is infected, that data is beamed back to a still-invisible command server mother ship, which assigns each victim's computer a 20-hex digit code to identify it. This foothold, more alarmingly, can spread to mobile devices like smartphones, or even entire enterprise networks like Cisco to steal account information and passwords from databases. It also helps hackers reinfect machines in case the malware is removed by anti-virus scanners. The techniques and code seem to have Chinese origins, and have been used in previous attacks targeting Tibetan activists and military in Asia. (Click here for a detailed walkthrough of how the attack works.)
Who's behind it?
Unlike Flame and Stuxnet, Red October probably isn't a government-sponsored enterprise. Rather, Kaspersky says the cybercriminals behind this worm are most likely based in Russia, and are looking to sell their intelligence for a premium on the black market to governments and others willing to pay.
What kind of information are they gathering?
They're taking everything: .pdf files, Excel spreadsheets, and documents with .acid extensions, which are run through Acid Cryptofiler, an encryption program used by the French military and NATO. The virus "can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism," says Eric Limer at Gizmodo. "Red October doesn't mess around."
What's being done to stop it?
The investigation is still ongoing. Per the report published Monday: "Kaspersky Lab, in collaboration with international organizations, law enforcement, Computer Emergency Response Teams (CERTs), and other IT security companies, is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures."