Sergei L. Loiko
In what is being called a new hunt for Red October, a Russian cyber-security company says it has discovered a major international malware system that has attacked and compromised the computers of government agencies, diplomatic consulates, research centers and defense installations, among other sensitive institutions.
The malware has siphoned off terabytes’ worth of information, much of it classified, researchers with Moscow-based Kaspersky Lab said in a report this week. The origin of the program and the motives of the attackers remain elusive, but there are hints that the programmers are Russian, the report says.
“Last October we first received from our clients samples of something we soon gathered was not just a malware program but a multi-component attack platform, initially targeting embassies around the world,” Vitaly Kamlyuk, a senior anti-virus expert at Kaspersky, said in an interview Wednesday. “We called the virus ‘Red October’ because we detected it in October and because it required a level of red-alert attention to tackle.”
Similar to the Flame virus, a now-defunct spyware program Kaspersky thwarted last year, the new virus usually infiltrates computers through an email attachment camouflaged to mimic ordinary business correspondence, the expert said.
“One embassy was looking to buy a car and received the virus in a car sale proposal they soon found in their inbox,” Kamlyuk said.
Kaspersky, a leading developer of commercial anti-virus software, said it found victims of the malware with IP addresses in 39 countries, led by Switzerland, Kazakhstan and Greece. The most common targets included embassies, government agencies and research institutes, as well as aerospace and energy companies.
Kaspersky said the malware was probably being operated by a government or criminal organization large enough to employ at least two dozen highly trained programmers.
Independent experts in the United States offered differing views on who might be responsible.
“The two primary suspects for this operation would have been either Russia or China, just based on some of the data,” said John Bumgarner, research director for the U.S. Cyber Consequences Unit, a nongovernmental think tank.
But researcher Jeffrey Carr, author of “Inside Cyber Warfare,” theorized that the malware was the work of the foreign intelligence service of a NATO or European Union country, and that the intent was to spy on Russian embassies.
“It’s a pretty good guess” that Russia’s spy service, the FSB, approached Kaspersky and asked the firm to investigate, Carr said. “One of the indications was that they were specifically looking for Russian documents.”
Kaspersky researchers said the spyware, when first installed, might be only several hundred kilobytes in size, minuscule by modern computer standards. But as it gets established and communicates with its controllers, it may grow to several megabytes.
The virus records the names of the users, their IP addresses, information stored on their processors and local disks, the history of browsers, logins and passwords, and the records of devices plugged into USB ports, including smartphones, according to the report.
Like the Flame program, the new virus can record screen shots, as well as keystrokes.
Evidence of the Red October virus dates to May 2007, Kamlyuk said. The program was embedded in Microsoft Excel and Word documents that had been used by Chinese hackers against Asian companies and Tibetan political activists, Kamlyuk said.
"But soon enough,” he said, “we realized that, despite its obvious Chinese roots and the fact that no agencies in China were in fact targets of the new malicious program, the Chinese hackers had nothing to do with Red October.”
The language used in the malware was primarily English, but not that of a native English speaker. It included Cyrillic symbols and transliterations of terms from Russian computer jargon, the researchers said.
For instance, Kamlyuk said, the malware sometimes uses the Russian word “zakladka” for “bookmark” or “marker” and “proga” for “programs.”
“Many domain names of the malware were registered under fake Russian names and addresses too,” he said.
“Now we have come to the realization that we are dealing with something programmed by Russian-speaking experts, based on Chinese hackers’ exploit documents and mostly aimed at embassies of and other targets in Russia and its former Soviet satellites,” Kamlyuk said.
Sergei Karaganov, honorary chairman of the Council on Foreign and Defense Policy, a Moscow-based think tank, said in an interview that such cyber-espionage is increasingly common and that Russia and other countries have attempted to create international protocols to combat it.
“But every time, their attempts have been thwarted by the stiff resistance on the part of the United States, which probably counts too much on its supremacy in this sphere,” he said. “On the other hand, I wouldn’t rule out the possibility of this being an ingenious trick on the part of Kaspersky Lab to boost their trade.”