Russia-based anti-virus firm Kaspersky Lab has revealed that significant attacks on government and organizations are on the rise with its discovery of an advanced network of cyber-espionage dubbed ?Red October? or Rocra.
Initially detected by Kaspersky Lab in October 2012, the Rocra network is a series of spear phishing tactics targeting very specific organizations.
Kaspersky Lab experts define spear phishing as an attack on a specific organization in which the phisher simply asks for one employee?s details and uses them to gain wider access to the rest of the network.
Security experts alleged that Rocra has been able to evade detection by most antivirus products and has been in existence for at least five years up until now.
Attackers will send an email with an infected attachment, which when opened, will drop malicious software to gain access to the target’s PC through a series of exploits in Microsoft Word and Excel.
These will eventually invade the PC’s network and then look for usernames and passwords, and other classified or confidential information.
The stolen data will finally be sent to the original host but will go through several command and control (C&C) servers to reduce the chances of software security locating the main host.
According to the analysis, compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more “personal” and finely tuned for the victims.
Kaspersky Lab experts also said that they could not find any connections between Rocra and the Flame / Tilded platforms.
Costin Raiu, Kaspersky lab director of Global Research and Analysis Team (GReAT), cited the Kaspersky Security Network (KSN) showing that among the targets of Rocra are top government networks and diplomatic institutions such as those in the Russian Federation, the United States, Iran, India, Belgium, Italy, Greece, Pakistan, United Arab Emirates, Switzerland, to name a few.
Apart from government offices, other specific categories that the propagators of Rocra are targeting include research institutions, trade and commerce, nuclear and energy, oil and gas, military, and aerospace.
Adding to the concern is the fact that Rocra is capable of stealing data from mobile devices, including smartphones (Apple iPhones, Windows mobile devices, and Nokia phones), removable disk drives, corporate email and file transfer protocol (FTP) servers.
Kaspersky Lab also said that while the malware modules appear to have been created by Russian-speaking operatives, the exploits were developed by Chinese hackers.
The development of malware modules is so extensive that there were at least 1,000 sub-modules from 30 module categories. Kaspersky Lab, however, stressed that there is no specific organization or nation linking to the Rocra attack network, nor is it acknowledging if Rocra is really a nation-sponsored attack.
As for the stolen classified information, Kaspersky Lab said that the information could have been passed on to an international black market of information or used directly by the Rocra propagators for a variety of purposes.
With the Rocra threat still ongoing, Raiu is calling for security organizations in different countries to provide assistance in uprooting the attack, especially since it is not entirely known where it headquartered or who the perpetrators are.
?Kaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures,? said Raiu.
