Login

'Red October' malware has been stealing government and industrial secrets for 5 years

rocra malware (kaspersky labs)

Kaspersky Labs reports that over the past five years, a co-ordinated malware campaign called "Rocra" (short for "Red October") has been funneling classified information and geopolitical intelligence from diplomatic, governmental, and scientific research systems all over the world. It uses known exploits in Microsoft Word and Excel documents to gain access to users’ systems, relying on a targeted social engineering or "spear phishing" element in order to trick users into opening the infected files; collating data about multiple future targets (such as account login credentials) and using it to create something that’s more likely for the target to click on. In an interview with The New York Times, the organization’s chief malware expert, Vitaly Kamluk, says that, worldwide, "there are about 300 computers infected that we know about."

There is strong evidence that the attackers have Russian-speaking origins

After initial infection, the main piece of malware can download additional modules that let it to do everything from grabbing data from locally-attached iPhones and USB drives (including deleted files), to downloading local Outlook and remote POP3 / IMAP email data, logging keystrokes, and taking screenshots. Kaspersky says that Rocra is administered by a network of 60 command and control servers, with IPs mostly located in Russia and Germany. And while it says there’s no evidence of a nation-state sponsored attack, Kaspersky does note that there is strong evidence that the attackers have Russian-speaking origins.

The news is reminiscent of earlier malware like the 2009 Stuxnet worm and other members of the "Tilded" family like Flame and Duqu, but Kaspersky says it "could not find any connections" between the two. During the five years it’s been in operation, Kaspersky estimates that Rocra has funneled out "hundreds of terabytes" of data, which could then have been sold on the black market, or used directly by the attackers. The investigation is still ongoing, and Kaspersky says it will be releasing more technical information about Rocra's command and control servers and known modules in the coming days.

The Verge
X
Log In Sign Up

forgot?
Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.