According to Kaspersky Lab, a network of cyberspies with a virus called “Red October” has stolen confidential information from Eastern Europe. The targets of the attack were government agencies, diplomatic missions, research institutions, as well as energy, nuclear and aerospace groups. Criminals seized secret documents containing geopolitical information and data to access sensitive computer systems. The software used by cybercriminals resembled in its construction it was used to attack Iran last year.
The data-stealing operation has been called “Rocra” and has continued uninterrupted since at least 2007! Attacked computers were infected by email. Criminals have exploited vulnerabilities in Office, but not only computers have been victimized, data has also been stolen from mobile devices (iPhone, Nokia, and Windows Mobile devices). The software used was so advanced that even after patching holes in the systems or disabling the virus, it was very easy to reactivate it.
The purpose of the attacks was to steal data in popular formats: pdf or doc, as well as data removed from computers or those with an “acid” extension, which means data encrypted by Acid Cryptofiler – a scrambler program used by NATO and the European Union.
The main areas of cyber spy activity were the countries of the former Eastern Bloc, but computers were also infected in Western Europe, mainly in Switzerland, Asia and North America. By November 2 (when the virus was detected) by January 10, 55,000 were detected. Infected computers coming from 39 countries, only for 2 months, and remember that the virus has been collecting data since 2007. Additionally, it should be noted how little addresses and how many computers were infected. It clearly indicates interest in large networks, such as government, diplomatic or military.
As for software developers, Kaspersky Lab experts have been able to find out that they were probably Russian-speaking because they found bits of Cyrillic code. Of course, criminals are unlikely to track down. The mechanisms of redirects used by them effectively prevented them from being found. No similar attacks have also been detected in the past to compile software development plans and assign them to specific individuals.