Researchers from antivirus firm Kaspersky Lab have discovered something that sounds like it came straight out of a spy movie. A massive, on-going espionage network targeting hundreds of governmental, diplomatic and scientific organizations in at least 39 countries. Before you start pointing fingers at who might be responsible this time around, the United States, Iran, and the Russian Federation are all targets of the attack.
Kaspersky Lab researchers have dubbed it Operation Red October, and it’s been active since 2007. Because it has gone undiscovered for 5 years now, there’s a big possibility that hundreds of terabytes of sensitive information has already been stolen. Attack profiles are customized for each victim by over a 1,000 distinct modules. It’s also capable of attacking a wide variety of devices such as PCs, networking equipment from Cisco Systems and even smartphones from Apple, Microsoft, and Nokia. Some of these modules target files that are encrypted using a system called Cryptofiler, a standard that is now less common by still used by Nato for protecting privacy and information that could be valuable to hackers. The targeting of these files suggest that the hackers might have already cracked its encryption methods.
The command-and-control network that it uses rivals that of the Flame  espionage malware that was used to attack Iran. That same infrastructure also uses more than 60 domain names as proxies to obscure the final destination of the stolen data. Researchers believe that these domains funnel data to another tier of proxies, which in turn send information to a “mothership.” The Red October malware has been on more than 300 PCs for the last 5 years and yet remained undetected. Kurt Baumgartner of Kaspersky Labs had this to say about the malware:
“This is a pretty glaring example of a multiyear cyber espionage campaign. “We haven’t seen these sorts of modules being distributed, so the customized approach to attacking individual victims is something we haven’t seen before at this level.”
“It’s been a very-well-maintained and set-up infrastructure that’s supported with multiple levels of proxies in order to hide away the mothership. They’ve been very effective at cycling through these domains and staying under the radar for the past five years.”
Despite the scale of the attacks, not much is known about the individuals or groups behind Operation Red October. The code was littered with broken, Russian-influenced English but many of the exploits that were used were initially developed by Chinese hackers. The long list of victims also helps clouds the identity of the hackers. So despite the “evidence” that they might currently have, Professor Alan Woodward from the University of Surrey says that they can’t be too sure just yet.
“In the sneaky old world of espionage, it could be a false flag exercise. You can’t take those things at face value,” said Woodward.
“There’s not enough evidence to link it to a nation-state, but certainly this level of interest and multi-year, ongoing campaign puts it up there with something like Flame and Duqu in the amount of effort it takes to seek out those targets and infiltrate the networks.”
…Any guesses as to who is behind this? If I were to guess, I’d say the big fat country in Asia that shows no red on the map shown above. But that is just a guess — it could very well be Canada.