A high-level cyber espionage campaign that successfully infiltrated computer networks at diplomatic, governmental and scientific research organisations has been detected.
For the last five years the campaign has been conducted by Russian-speaking attackers that targeted users in Eastern Europe, members of the former USSR and countries in Central Asia, Western Europe and North America, Kaspersky researchers say.
The Red October (Rocra) attacks remain active and are sending data to multiple command-and-control (C&C) servers, which work as proxies and hide the location of the true C&C server.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide," a researcher wrote.
"During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used.
“All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customised to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.”
Attackers created more than 60 domain names and several server hosting locations in different countries, with the majority in Germany and Russia.
The framework is different in that it uses at least three different exploits for previously known vulnerabilities: CVE-2009-3129 in Microsoft Excel, and CVE-2010-3333 and CVE-2012-0158 in Microsoft Word.
Researchers said the attackers created a multi-functional framework capable of applying a quick extension of the features that gather intelligence. It said that the system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
It is capable of stealing data from mobile devices and removable disk drives, stealing email databases from local Outlook storage or remote POP/IMAP servers and siphoning files from local network FTP servers.
Kaspersky Lab said Rocra infects by using spear phishing tactics and, once in, a module actively scans the local area network, and finds hosts vulnerable for MS08-067 (the vulnerability exploited by Conficker) or which are accessible with administrator credentials from its own password database.
Another module collects information to infect remote hosts in the same network.
Kaspersky first detected the attacks in October 2012 and has counted several hundreds of infections worldwide with the most (38) in Russia.
It believed that the exploits appear to have been created by Chinese hackers, while the Rocra malware modules were created by Russian-speaking operatives.
It also said that there were more than 1000 modules belonging to 30 different module categories, with some created as far back as 2007.
The attacks bore similarities to the Flame virus, but connections could not be found between Rocra and the Flame/Tilded platforms.