Kaspersky Lab has uncovered a dangerous cyber espionage campaign stealing vast amounts of sensitive data from 350 unnamed ‘high profile' businesses and government agencies, some of whom are based in the UK.
The Russian security firm reported uncovering the campaign, codenamed Operation NetTraveler, on Tuesday, confirming it had detected it running in over 40 different countries. Known victims include the UK and US as well as Canada, Russia and China.
The malware used has infected a wide variety of groups and agencies in both the public and private sector. These included government institutions, embassies research centers, military contractors and activists and several firms connected to areas of infrastructure like oil and gas industry. Kaspersky said the kit is designed for data theft and espionage purposes, but not sabotage like the infamous Stuxnet malware.
The Russian firm said that at least six of the known victims were also successfully infiltrated by the previously discovered Red October campaign, indicating there are several high-profile, well funded hacker groups active in the wild. Red October is a cyber espionage believed to be run by cyber criminals in Russia, uncovered by Kaspersky in January.
Kaspersky said initial analysis suggests the campaign's command and control servers are used to spread and install further malware, as well as forward stolen data, on infected machines. The malware focuses on collecting keyloggs as well as various types of files including PDFs, Excel sheets, Word documents and other files. Kaspersky estimates it has already successfully stolen at least 22GB of data from its known victims.
Worse still, the Russian security vendor reported seeing at least one example of the criminals using the malware as a backdoor, warning it could theoretically be customised to steal other types of sensitive information.
The campaign initially targets its victims using tailored spear-phishing emails infected with malicious Microsoft Office attachments. The malicious attachments target the CVE-2012-0158 and CVE-2010-3333 vulnerabilities. Both the vulnerabilities have been patched by Microsoft. Kaspersky Lab recommended all network administrators check their systems and ensure the patches are installed.
The campaign is one of many sophisticated threats uncovered by Kaspersky Lab in recent years. The firm also played a part uncovering the notorious Flame malware.