Kaspersky Lab has found a new malicious cyber-spy operation, but it has been actively sucking secrets from governments since 2007. In October 2012, Kaspersky Lab began looking into yet another digital espionage attack that has been ongoing since 2007. Yesterday, the security firm said the “Red October” campaign targeted “diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets” for the last five years. However, “Kaspersky Security Network (KSN) detected the exploit code used in the malware as early as 2011.”The Stuxnet virus was out to sabotage critical infrastructure. Duqu, Gauss and Flame were stealers of information. The Red October attackers also designed the “Rocra” malware for digital espionage, but unlike the automated Flame or Gauss cyber espionage campaigns, the initial documents in the Rocra attacks, according to Kaspersky, were fine-tuned specifically for the victims. It also included some very unique modular architecture such as the “advanced cryptographic spy-modules” with the ability to defeat Acid Cryptofiler encryption used by NATO and some government agencies, as well as a “resurrection module” as a “foolproof” way to “resurrect” infected machines.Among the key Red October findings, Kaspersky wrote:Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.H.D. Moore, Rapid7 chief security officer, was interested in the fact that Red October could undelete previously deleted data from USB drives. Moore told NBC News, “The threat is that USB drives are often shared between people, especially at conferences. Even if you take precautions to delete files and you trust the person you are sharing this with, this malware would be able to automatically recover deleted files and siphon them off without either party being aware.” According to the Kaspersky Lab image showing the first stage of Red October attacks and Kaspersky’s first report:There is a notable module among all others, which is essentially created to be embedded into Adobe Reader and Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system. The module expects a specially crafted document with attached executable code and special tags. The document may be sent to the victim via e-mail. It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document.This trick can be used to regain access to the infected machines in case of unexpected C&C servers shutdown/takeover.Looking at the Operation Red October map of countries with infections, China seems to be unaffected and uninfected. Although Kaspersky found “malware modules that have been created by Russian-speaking operatives,” the “exploits appear to have been created by Chinese hackers.” Yet Kaspersky doesn’t believe this cyberattack was sponsored by a nation state. “Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere.” Kaspersky Lab plans to publish part two of its Operation Red October report with the detailed technical findings this week. In the security firm’s initial public notification, it listed these examples of Rocra malware “persistent” tasks:Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parserWait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing historyWait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main componentWait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machineRecord all the keystrokes, make screenshotsExecute additional encrypted modules according to a pre-defined scheduleRetrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentialsSome examples of “one-time” tasks revealed by Kaspersky included extracting Chrome, Firefox, Internet Explorer and Opera browsing history, Windows account hashes for offline cracking, Outlook account info, and saved passwords for websites, FTP servers, mail and IM accounts. Rocra also collected “information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives.”As Ars Technica pointed out, the malware behind Red October relied in part on a critical Java vulnerability. Aviv Raff, a researcher with Israel-based Seculert, said the attackers used a PHP script to exploit a hole in Java framework and then secretly executed malicious code on some of the victims’ machines. Even though Oracle had issued a patch in October 2011, the attackers exploited it in February 2012.It’s no surprise that cyber espionage like other digital attacks exploit vulnerabilities in Java and Windows. It serves as yet another reason to stay on top of the painstaking time-sink of patching holes when updates are made available.Like this? Here’s more posts:Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA StrangelovePolice State starts in tiny Arkansas townIE fix easily broken; Espionage hacker gang has endless supply of zero-daysChrome, Firefox, IE to block fraudulent digital certificateDon’t faint: Microsoft applauds hacker for Windows RT jailbreaking attemptOracle releases emergency Java patch; experts warn flaws may take 2 years to fixValve’s Steam Box controllers may use biometrics and gaze tracking20 Seconds to jailbreak Windows RTIntelligence report predicts IT in 2030, a world of cyborgs with Asia as top powerUnpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradiseFollow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe