Kaspersky Labs said the Red October malware has been trolling the Internet for the past five years, targeting sensitive information from government departments and major companies worldwide in more than a dozen nations.
According to Kaspersky Lab, the ultimate manager of the Red October network is currently unknown, but traces uncovered in the virus source code point to several countries.
Kaspersky Lab first discovered the carefully hidden Red October coding in late 2012, and as the source program was decrypted, the specialists came to believe that the program was designed to infiltrate targeted computers worldwide. Subjects selected for hacking included government organizations, embassies, military installations, financial corporations and research institutes.
The carefully selected targets were the hard drive contents of computers of institutions deemed strategically important, with Red October seeking classified information, scientific research, and military secrets, Golos Rossii radio station reported on Wednesday.
The biggest question facing Kaspersky Lab analysts is who created the cyberweapon. Kaspersky Lab experts have come to the conclusion that the malware was created by a working group of several dozen programmers. Analyzing the more than 60 network addresses to which the purloined data was sent, the analysts found that the bulk of the host servers for the received data are located in Germany and the Russia Federation, concluding further on the code's development that Russian slang used by Russian software developers was found in the malware's source code.
The Red October Trojan malware exploited security vulnerabilities of popular business software, such as Microsoft Office and Adobe products, with one infected computer being sufficient to compromise an organization's entire computer network.
The Red October cyber criminals used phishing methods to target computers, compromising specific users with access to targeted networks via email, with each attack carefully planned with the malware being specifically reprogrammed for each user.
Kaspersky Lab discussed Red October in detail on its website, reporting that "To determine the victims of cyberespionage Kaspersky Lab experts analyzed data from two main sources: a cloud service Kaspersky Security Network (KSN) and sinkhole-servers for monitoring infected machines overlooking the communication with the command servers
KSN statistics helped discover hundreds of unique infected computers, most of which belonged to embassies, consulates, government agencies and research institutes. A significant part of infected systems was found in Eastern Europe. Sinkhole-server data were obtained during the period from 2 November 2012 to 10 January 2013. During this time there were more than 55,000 connections with 250 infected IP-addresses registered in 39 countries. Most connections from infected IP-addresses were recorded in Switzerland, Kazakhstan and Greece."
Perhaps the most ominous aspect of the Kaspersky Lab analysis is that the malware contains a
"recovery module," allowing operators "to 'resurrect' the infected machines. The module is built as a plug-in for Adobe Reader and Microsoft Office, and provides a second attacker access to the system if the main malware was detected and removed or if there was a system update."