Operation Red October: The top-secret global espionage campaign that's been running for five years
A rogue group is covertly collecting top-secret data with an infrastructure rivaling Flame and Stuxnet
Russian anti-virus firm Kaspersky Labs has uncovered a high-level cyber-espionage campaign that has been targeting government agencies, research institutions, and diplomats for the past five years to gather "classified information and geopolitical intelligence," per a report published on Monday. Here's what we know about operation "Red October," which has some hallmarks of government-sponsored C++ computer viruses Flame and Stuxnet that came before it:
What's going on exactly?
A sophisticated digital infrastructure that's utilizing a chain of more than 60 command-and-control servers is silently gathering data from high-profile targets around the world, and avoiding detection. Whoever is behind the operation has been compiling troves of top-secret documents and files from computers, smartphones, and external storage hardware like USB sticks since 2007. Kaspersky says the campaign is still active, with a complexity that rivals the Flame virus allegedly used by the U.S. and Israel to spy on Iran's nuclear efforts.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
Who's being targeted?
Most of the targets are in Eastern Europe and Central Asia, but more than 60 countries have been hit; accounts have been compromised in the U.S., Australia, Ireland, Switzerland, Japan, Spain, and more. Kaspersky declined to disclose the identities of the targets, but Kim Zetter at Wired notes that the agencies and institutions involved relate to "nuclear and energy research and companies in the oil and gas and aerospace industries."
How does the attack work?
The Red October worm first infiltrates computers using email attachments — things like Word and Excel files. Once a computer is infected, that data is beamed back to a still-invisible command server mother ship, which assigns each victim's computer a 20-hex digit code to identify it. This foothold, more alarmingly, can spread to mobile devices like smartphones, or even entire enterprise networks like Cisco to steal account information and passwords from databases. It also helps hackers reinfect machines in case the malware is removed by anti-virus scanners. The techniques and code seem to have Chinese origins, and have been used in previous attacks targeting Tibetan activists and military in Asia. (Click here for a detailed walkthrough of how the attack works.)
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
Who's behind it?
Unlike Flame and Stuxnet, Red October probably isn't a government-sponsored enterprise. Rather, Kaspersky says the cybercriminals behind this worm are most likely based in Russia, and are looking to sell their intelligence for a premium on the black market to governments and others willing to pay.
What kind of information are they gathering?
They're taking everything: .pdf files, Excel spreadsheets, and documents with .acid extensions, which are run through Acid Cryptofiler, an encryption program used by the French military and NATO. The virus "can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism," says Eric Limer at Gizmodo. "Red October doesn't mess around."
What's being done to stop it?
The investigation is still ongoing. Per the report published Monday: "Kaspersky Lab, in collaboration with international organizations, law enforcement, Computer Emergency Response Teams (CERTs), and other IT security companies, is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures."
-
'We shouldn't be surprised that crypto is back'
Instant Opinion Opinion, comment and editorials of the day
By Justin Klawans, The Week US Published
-
How the national debt affects your finances
Rachel Reeves has changed the rules, but why does that matter?
By Marc Shoffman, The Week UK Published
-
Could 'adult dorms' save city downtowns?
Today's Big Question 'Micro-apartments' could relieve office vacancies and the housing crisis
By Joel Mathis, The Week US Published