SECURITY RESEARCHERS at Kaspersky Lab have uncovered a cyber attack that could have been stealing Russian documents for years.
The cyber attack is called Red October and has been aimed at embassies, oil and gas operations, aerospace, military and nuclear research centres, according to Kaspersky Lab.
Kaspersky Lab has blogged about Red October, saying that while it was discovered recently, it has been around for some years and has a definite purpose.
"The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations," it wrote in a post to its Securelist website.
"To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server."
Kaspersky said that the attack was aimed at "specific organizations", most of which can be found in Eastern Europe, as well as Central Asia, North America and Western Europe.
While it can attack workstation PCs, Red October also has had successes elsewhere. Kaspersky said that it could steal data from mobile devices, including iPhones, Nokia and Windows Mobile phones and enterprise equipment from Cisco, hijacking files and stealing databases.
Kaspersky has identified eight targeted sectors, but added that it is possible that others have not been discovered yet. Attackers gain access through spear phishing attacks and exploits found in Excel and Word.
The majority of infections, 35 are in the Russian federation, while the US has just eight. The UK is not listed as being a victim. There are twenty countries in the list and Kaspersky said that these were all the ones it could find that had more than five infections.
It is unclear who is behind Red October, but the researchers said that any underground organisation might be interested in its swag.
"Currently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," it said.
"Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."
The malware itself is a point of entry to the system. Once it is in, a number of modules are lined up for later deployment. This means that Red October reaches out across a network once it is inside.
"Typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit," explained Kaspersky. µ