clock menu more-arrow no yes mobile

Filed under:

'Red October' malware has been stealing government and industrial secrets for 5 years

New, 52 comments
rocra malware (kaspersky labs)
rocra malware (kaspersky labs)

Kaspersky Labs reports that over the past five years, a co-ordinated malware campaign called "Rocra" (short for "Red October") has been funneling classified information and geopolitical intelligence from diplomatic, governmental, and scientific research systems all over the world. It uses known exploits in Microsoft Word and Excel documents to gain access to users’ systems, relying on a targeted social engineering or "spear phishing" element in order to trick users into opening the infected files; collating data about multiple future targets (such as account login credentials) and using it to create something that’s more likely for the target to click on. In an interview with The New York Times, the organization’s chief malware expert, Vitaly Kamluk, says that, worldwide, "there are about 300 computers infected that we know about."

There is strong evidence that the attackers have Russian-speaking origins

After initial infection, the main piece of malware can download additional modules that let it to do everything from grabbing data from locally-attached iPhones and USB drives (including deleted files), to downloading local Outlook and remote POP3 / IMAP email data, logging keystrokes, and taking screenshots. Kaspersky says that Rocra is administered by a network of 60 command and control servers, with IPs mostly located in Russia and Germany. And while it says there’s no evidence of a nation-state sponsored attack, Kaspersky does note that there is strong evidence that the attackers have Russian-speaking origins.

The news is reminiscent of earlier malware like the 2009 Stuxnet worm and other members of the "Tilded" family like Flame and Duqu, but Kaspersky says it "could not find any connections" between the two. During the five years it’s been in operation, Kaspersky estimates that Rocra has funneled out "hundreds of terabytes" of data, which could then have been sold on the black market, or used directly by the attackers. The investigation is still ongoing, and Kaspersky says it will be releasing more technical information about Rocra's command and control servers and known modules in the coming days.