Unidentified attackers stole sensitive information from hundreds of diplomatic, government, research and military organizations from around the world as part of a newly uncovered cyberespionage campaign that started nearly six years ago. The operation involved the use of highly customized and sophisticated data theft malware, researchers from antivirus firm Kaspersky Lab said Monday.
Kaspersky researchers started investigating the ongoing operation, which they dubbed "Red October," in October 2012. However, based on timestamps found in associated malicious files and registration dates for some of the command-and-control domain names, the attack campaign might have started in May 2007, they said Monday in a blog post.
The targeted organizations include embassies, government agencies, military facilities, nuclear and aerospace research institutions, oil and gas companies and other high-profile institutions. Several hundred systems have been infected within the targeted organizations, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.
Many of the affected organizations are located in former USSR states such as Russia, Ukraine, Belarus, Kazakhstan, Armenia and Azerbaijan. However, victims have also been identified in the United States, Brazil, India, Belgium, Switzerland, Germany and other countries, with some specific exceptions such as China, Raiu said.
In total, affected organizations have been identified in 39 countries, according to a detailed analysis of the operation published Monday by Kaspersky Lab.
"We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains," Raiu said. There's no proof that this cyberespionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder, he said.
The spear-phishing attacks -- targeted email attacks -- associated with this cyberespionage operation distribute malicious documents that exploit known vulnerabilities in Microsoft Excel or Word to install a custom piece of malware on computers. It appears that the same exploits were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.
The exploits used in the Red October operation appear to have been created on computers that use Simplified Chinese character encoding, Raiu said. However, there's strong reason to believe that the distributed malware was created by Russian-speaking developers, he said.
It is unclear why the Red October attackers are reusing the Chinese exploits instead of creating their own, but one possibility is that they are attempting to trick investigators into believing that the attacks are associated with other campaigns, Raiu said.
Despite the fact that these exploits are known, some antivirus products don't detect them because they have been slightly modified to evade detection. It's also possible that other methods of distributing the malware are used, but they haven't been identified yet, Raiu said.
Sign up for CIO Asia eNewsletters.