- Subscribe to PCF Networked Blog Daily Updates
- Subscribe to our Twitter / Google / Yahoo Daily Updates
A
sophisticated cyber-espionage network targeting the world’s diplomatic,
government and research agencies, as well as gas and oil industries, has been
uncovered by experts at Russia’s Kaspersky Lab.
The
system’s targets include a wide range of countries, with the primary focus on
Eastern Europe, former Soviet republics and Central Asia – although many in
Western Europe and North America are also on the list.
“The
majority of infections are actually from the embassies of ex-USSR country
members located in various regions such as Western Europe and even in North
America – in the US we have few infections as well. But most infections are
concentrated around Russia,” Vitaly Kamluk, chief malware expert at Kasperky
Lab, told RT, adding that in Europe, the hardest-hit countries are apparently
Beligum and Switzerland.
In
addition to attacking traditional computer workstations, ‘Rocra’ – an abridgment
of ‘Red October,’ the name the Kaspersky team gave the network – can steal data
from smartphones, dump network equipment configurations, scan through email
databases and local network FTP servers, and snatch files from removable disk
drives, including ones that have been erased.
Unlike
other well-known and highly automated cyber-espionage campaigns, such as
‘Flame’ and ‘Gauss,’ Rorca’s attacks all appear to be carefully chosen. Each
operation is apparently driven by the configuration of the victim’s hardware
and software, native language and even document usage habits.
The
information extracted from infected networks is often used to gain entry into
additional systems. For example, stolen credentials were shown to be compiled
in a list for use when attackers needed to guess passwords or phrases.
The
hackers behind the network have created more than 60 domain names and several
server hosting locations in different countries – the majority of those known
being in Germany and Russia – which worked as proxies in order to hide the
location of the ‘mothership’ control server.
That
malicious server’s location remains unknown, but experts have uncovered over
1,000 modules belonging to 34 different module categories.While Rocra seems to
have been designed to execute one-time tasks sent by the hackers’ servers, a
number of modules were constantly present in the system executing persistent
tasks. This included retrieving information about a phone, its contact list,
call history, calendar, SMS messages and even browsing history as soon as an
iPhone or a Nokia phone is connected to the system.
The
hackers’ primary objective is to gather information and documents that could
compromise the security of governments, corporations or other organizations and
agencies. In addition to focusing on diplomatic and governmental agencies
around the world, the hackers also attacked energy and nuclear groups, and
trade and aerospace targets.
No
details have been given yet as to the attackers’ identity. However, there is
strong technical evidence to indicate that the attackers are of Russophone
origins, as Russian words including slang have been used in the source code
commentaries. Many of the known attacks have taken place in Russian-speaking
countries.
“It
is bound to Russian language. We are currently uncertain which country is
responsible for creating these malicious applications, but we are most certain
the developers picked the Russian language. It is visible from the text links
we extracted from the application. Some of them point to Russian origin. For
example, the word used inside of the malware the word is ‘zakladka.’ In Russian
it means a bookmark, or under cleared functionality it can refer to a backdoor
functionality in some legitimate software. So that’s why we believe this work
was used by Russian-speaking developers,” Kamluk told RT.
The
hackers designed their own authentic and complicated piece of software, which
has its own unique modular architecture of malicious extensions, info-stealing
modules and backdoor Trojans. The malware includes several extensions and
malicious files designed to quickly adjust to different system configurations
while remaining able to grab information from infected machines.
These
included a ‘resurrection’ module, which allowed hackers to gain access to
infected machines using alternative communications channels and an encoded spy
module, stealing information from different cryptographic systems such as Acid
Cryptofiler, which has reportedly been used since 2011 by organizations such as
NATO, the European Parliament and the European Commission.
The
first instances of Red October malware were discovered in October 2012, but it
has been infecting computers since at least 2007, Kaspersky Lab reported. The
firm worked with a number of international organizations while conducting the
investigation, including Computer Emergency Readiness Teams from the US,
Romania and Belarus.
The
EU is attempting to counter the huge rise in cyber-espionage by launching the
European Cybercrime Center, which opened on Friday.
Pakistan Cyber Force
No comments:
Post a Comment