Kaspersky uncovers "Red October" global cyber spying campaign

Kaspersky Labs has uncovered another advanced cyber spying campaign targeting numerous governments, political groups, businesses and areas of critical infrastructure.

The discovery follows a five-year hunt by Kaspersky and numerous Cyber Emergency Response Teams (CERT).

While details regarding the campaign's origin remain vague, Kaspersky reported Red October (Rocra) is believed to have stemmed from a Russian-speaking group and been active since at least five years.

The campaign targeted numerous institutions using a custom, highly flexible malware spread using a sophisticated phishing campaign.

"Attackers created unique, highly flexible malware to steal data and geopolitical intelligence from target victims' computer systems, mobile phones and enterprise network equipment," read Kaspersky's report.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America."

The majority of incidents occurred in Russia, where Kaspersky reported detecting 38 infections, while Kazakhstan took second with 21 infections.

Belgium had 16 infections, presumably due to its strong links with the European Commission, while six infections were detected in the US. The UK had no infections reported.

The malware reportedly added all infected machines to a global intelligence network setup by the malware's authors.

Information stored on the network was in turn used to help the hackers break into additional systems, creating a snowball effect.

"The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems," read Kaspersky's report.

"To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia."

Kaspersky is yet to divulge whether it believes the Red October campaign is state sponsored, though it does feature several unique features separating it from most common malware.

These include a "Resurrection module" cryptographic spy-modules and the ability to infect smartphones and tablets. Windows Phone and iPhone users were said to be susceptible to the attacks.

The resurrection module allows the malware to remain hidden as a plug-in inside Adobe Reader and Microsoft Office installations, theoretically meaning it could re-infect a machine after removal.

The spying modules include a number of files from different cryptographic systems, used by sophisticated government and military organisations like Nato, the European Union, European Parliament and European Commission, Kaspersky reported.

V3 contacted the recently opened European Cybercrime Centre for comment on the finding but had received no reply at time of publication.

Red October is one of many advanced campaigns to have been uncovered by Kaspersky. Earlier in 2012 Kaspersky had helped uncover the infamous Flame malware.