'Red October' cyber-attack found by Russian researchers
A major cyber-attack that may have been stealing confidential documents since 2007 has been discovered by Russian researchers.
Kaspersky Labs told the BBC the malware targeted government institutions such as embassies, nuclear research centres and oil and gas institutes.
It was designed to steal encrypted files - and was even able to recover files that had been deleted.
One expert described the attack find as "very significant".
"It appears to be trying to suck up all the usual things - word documents, PDFs, all the things you'd expect," said Prof Alan Woodward, from the University of Surrey.
"But a couple of the file extensions it's going after are very specific encrypted files."
In a statement, Kaspersky Labs said: "The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.
"The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment."'Carefully selected'
In an interview with the BBC, the company's chief malware researcher Vitaly Kamluk said victims had been carefully selected.
"It was discovered in October last year," Mr Kamluk said.
"We initiated our checks and quite quickly understood that is this a massive cyber-attack campaign.
"There were a quite limited set of targets that were affected - they were carefully selected. They seem to be related to some high-profile organisations."
Red October - which is named after a Russian submarine featured in the Tom Clancy novel The Hunt For Red October - bears many similarities with Flame, a cyber-attack discovered last year.
Like Flame, Red October is made up of several distinct modules, each with a set objective or function.
Red October is said to be one of the most significant attacks ever to be discovered. Key facts include:
- It has been operating since 2007
- Attackers created more than 60 domain names to run the attack, based mostly in Germany and Russia
- Specifically targeted "Cryptofiler" files - an encryption technique used by organisations like Nato and the EU
- Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece
- Intended targets received personalised correspondence based on gathered intelligence on individual people
- Unlike Stuxnet, another major cyber-attack, Red October is not believed to have caused any physical damage to infrastructure, concentrating solely on stealing information
Source: Kaspersky Labs
"There is a special module for recovering deleted files from USB sticks," Mr Kamluk said.
"It monitors when a USB stick is plugged in, and it will try to undelete files. We haven't seen anything like that in a malware before."
Also unique to Red October was its ability to hide on a machine as if deleted, said Prof Woodward.
"If it's discovered, it hides.
"When everyone thinks the coast is clear, you just send an email and 'boof' it's back and active again."Cracked encryption
Other modules were designed to target files encrypted using a system known as Cryptofiler - an encryption standard that used to be in widespread use by intelligence agencies but is now less common.
Prof Woodward explained that while Cryptofiler is no longer used for extremely sensitive documents, it is still used by the likes of Nato for protecting privacy and other information that could be valuable to hackers.
Red October's targeting of Cryptofiler files could suggest its encryption methods had been "cracked" by the attackers.
Like most malware attacks, there are clues as to its origin - however security experts warn that any calling cards found within the attack's code could in fact be an attempt to throw investigators off the real scent.
Kaspersky's Mr Kamluk said the code was littered with broken, Russian-influenced English.
"We've seen use of the word 'proga' - a slang word common among Russians which means program or application. It's not used in any other language as far as we know."
But Prof Woodward added: "In the sneaky old world of espionage, it could be a false flag exercise. You can't take those things at face value."
Kaspersky's research indicated there were 55,000 connection targets within 250 different IP addresses. In simpler terms, this means that large numbers of computers were infected in single locations - possibly government buildings or facilities.
A 100-page report into the malware is to be published later this week, the company said.