Russian anti-virus firm Kaspersky Labs has uncovered a high-level cyber-espionage campaign that has been targeting government agencies, research institutions, and diplomats for the past five years to gather "classified information and geopolitical intelligence," per a report published on Monday. Here's what we know about operation "Red October," which has some hallmarks of government-sponsored C++ computer viruses Flame and Stuxnet that came before it:
What's going on exactly?
The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
Who's being targeted?
Most of the targets are in Eastern Europe and Central Asia, but more than 60 countries have been hit; accounts have been compromised in the U.S., Australia, Ireland, Switzerland, Japan, Spain, and more. Kaspersky declined to disclose the identities of the targets, but Kim Zetter at Wired notes that the agencies and institutions involved relate to "nuclear and energy research and companies in the oil and gas and aerospace industries."
How does the attack work?
The Red October worm first infiltrates computers using email attachments — things like Word and Excel files. Once a computer is infected, that data is beamed back to a still-invisible command server mother ship, which assigns each victim's computer a 20-hex digit code to identify it. This foothold, more alarmingly, can spread to mobile devices like smartphones, or even entire enterprise networks like Cisco to steal account information and passwords from databases. It also helps hackers reinfect machines in case the malware is removed by anti-virus scanners. The techniques and code seem to have Chinese origins, and have been used in previous attacks targeting Tibetan activists and military in Asia. (Click here for a detailed walkthrough of how the attack works.)
Who's behind it?
Unlike Flame and Stuxnet, Red October probably isn't a government-sponsored enterprise. Rather, Kaspersky says the cybercriminals behind this worm are most likely based in Russia, and are looking to sell their intelligence for a premium on the black market to governments and others willing to pay.
What kind of information are they gathering?
They're taking everything: .pdf files, Excel spreadsheets, and documents with .acid extensions, which are run through Acid Cryptofiler, an encryption program used by the French military and NATO. The virus "can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism," says Eric Limer at Gizmodo. "Red October doesn't mess around."
What's being done to stop it?
The investigation is still ongoing. Per the report published Monday: "Kaspersky Lab, in collaboration with international organizations, law enforcement, Computer Emergency Response Teams (CERTs), and other IT security companies, is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures."
-
How clean-air efforts may have exacerbated global warmingUnder the Radar Air pollution artificially cooled the Earth, ‘masking’ extent of temperature increase
-
September 14 editorial cartoonsCartoons Sunday’s political cartoons include RFK Jr on the hook, the destruction of discourse, and more
-
Air strikes in the Caribbean: Trump’s murky narco-warTalking Point Drug cartels ‘don’t follow Marquess of Queensberry Rules’, but US military air strikes on speedboats rely on strained interpretation of ‘invasion’
