Operation Red October: The top-secret global espionage campaign that's been running for five years

A rogue group is covertly collecting top-secret data with an infrastructure rivaling Flame and Stuxnet

Red October infiltrates computers using email attachments and then beams back data completely undetected.
(Image credit: Thinkstock)

Russian anti-virus firm Kaspersky Labs has uncovered a high-level cyber-espionage campaign that has been targeting government agencies, research institutions, and diplomats for the past five years to gather "classified information and geopolitical intelligence," per a report published on Monday. Here's what we know about operation "Red October," which has some hallmarks of government-sponsored C++ computer viruses Flame and Stuxnet that came before it:

What's going on exactly?

The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE
https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Who's being targeted?

Most of the targets are in Eastern Europe and Central Asia, but more than 60 countries have been hit; accounts have been compromised in the U.S., Australia, Ireland, Switzerland, Japan, Spain, and more. Kaspersky declined to disclose the identities of the targets, but Kim Zetter at Wired notes that the agencies and institutions involved relate to "nuclear and energy research and companies in the oil and gas and aerospace industries."

How does the attack work?

The Red October worm first infiltrates computers using email attachments — things like Word and Excel files. Once a computer is infected, that data is beamed back to a still-invisible command server mother ship, which assigns each victim's computer a 20-hex digit code to identify it. This foothold, more alarmingly, can spread to mobile devices like smartphones, or even entire enterprise networks like Cisco to steal account information and passwords from databases. It also helps hackers reinfect machines in case the malware is removed by anti-virus scanners. The techniques and code seem to have Chinese origins, and have been used in previous attacks targeting Tibetan activists and military in Asia. (Click here for a detailed walkthrough of how the attack works.)

Who's behind it?

Unlike Flame and Stuxnet, Red October probably isn't a government-sponsored enterprise. Rather, Kaspersky says the cybercriminals behind this worm are most likely based in Russia, and are looking to sell their intelligence for a premium on the black market to governments and others willing to pay.

What kind of information are they gathering?

They're taking everything: .pdf files, Excel spreadsheets, and documents with .acid extensions, which are run through Acid Cryptofiler, an encryption program used by the French military and NATO. The virus "can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism," says Eric Limer at Gizmodo. "Red October doesn't mess around."

What's being done to stop it?

The investigation is still ongoing. Per the report published Monday: "Kaspersky Lab, in collaboration with international organizations, law enforcement, Computer Emergency Response Teams (CERTs), and other IT security companies, is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures."

Chris Gayomali is the science and technology editor for TheWeek.com. Previously, he was a tech reporter at TIME. His work has also appeared in Men's Journal, Esquire, and The Atlantic, among other places. Follow him on Twitter and Facebook.