Kaspersky Labs reports that over the past five years, a co-ordinated malware campaign called "Rocra" (short for "Red October") has been funneling classified information and geopolitical intelligence from diplomatic, governmental, and scientific research systems all over the world. It uses known exploits in Microsoft Word and Excel documents to gain access to users’ systems, relying on a targeted social engineering or "spear phishing" element in order to trick users into opening the infected files; collating data about multiple future targets (such as account login credentials) and using it to create something that’s more likely for the target to click on. In an interview with The New York Times, the organization’s chief malware expert, Vitaly Kamluk, says that, worldwide, "there are about 300 computers infected that we know about."
There is strong evidence that the attackers have Russian-speaking origins
After initial infection, the main piece of malware can download additional modules that let it to do everything from grabbing data from locally-attached iPhones and USB drives (including deleted files), to downloading local Outlook and remote POP3 / IMAP email data, logging keystrokes, and taking screenshots. Kaspersky says that Rocra is administered by a network of 60 command and control servers, with IPs mostly located in Russia and Germany. And while it says there’s no evidence of a nation-state sponsored attack, Kaspersky does note that there is strong evidence that the attackers have Russian-speaking origins.
The news is reminiscent of earlier malware like the 2009 Stuxnet worm and other members of the "Tilded" family like Flame and Duqu, but Kaspersky says it "could not find any connections" between the two. During the five years it’s been in operation, Kaspersky estimates that Rocra has funneled out "hundreds of terabytes" of data, which could then have been sold on the black market, or used directly by the attackers. The investigation is still ongoing, and Kaspersky says it will be releasing more technical information about Rocra's command and control servers and known modules in the coming days.
We'll email you a reset link.
If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.
Choose an available username to complete sign up.
In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.