Wide-reaching 'Red October' malware campaign targets world governments

Kaspersky Labs has unearthed a new malware campaign nicknamed Red October, which is harvesting classified information from targets such as nation states and sensitive corporations across the globe.

Red October, or Rocra, steals encrypted login information from high security targets and is said to primarily target former USSR republics and countries in Central Asia, although Kaspersky also pointed out that no nation is immune, with known infections around the world.

According to Kaspersky, the virus, which has been lurking since 2007, contains strong technical evidence that shows the attackers have Russian-speaking origins and it has also infiltrated smartphones to collect information. It has mainly focused on diplomatic and government agencies of various countries across the world, although it is also targeting research institutions, trade and commerce, nuclear and energy research, oil and gas companies, aerospace, and military.

Rocra first attacked in exploits found in Microsoft Excel, then two other vulnerabilities in Microsoft Word.

It works by storing information on the infected network and when it’s ready, it “calls back” to  command servers for customised packages of malware signed with victim-specific 20 digit codes.

Kaspersky said that from this, the attackers were able to collect data straight from government institutions, embassies, research firms, military installations, and energy providers using the growing catalogue of  logins, and other ways to get past security.

To keep track of, and control the network of infected machines, the attackers were said to have created more than 60 domain names and several server hosting locations in different countries, which hid the original location of the ‘mothership’ control server.

As well as PCs, the virus has also been engineered to target and steal data from mobile devices, such as iPhones and Nokia and Windows based mobiles.

Removable disk drives were also labelled as unsafe by the security company.

According to the information Kaspersky has collected so far, the original exploits appear to have been created by Chinese hackers, while the Rocra modules themselves have been made by Russian speaking hackers.

Kaspersky’s full rundown of Red October is available on SecureList.