by Staff Writers
Paris (AFP) Jan 14, 2013
Kaspersky Lab said Monday it had identified a new computer virus it dubbed "Red October" targeting eastern European countries that appeared to be collecting classified files using NATO and EU encryption.
"The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," said the maker of anti-virus software in a statement.
Kaspersky Lab said "there is strong technical evidence to indicate the attackers have Russian-speaking origins."
Red October, which has been active since at least 2007, appears to collect files encrypted with software used by several entities from the European Union to NATO, it added.
Kaspersky said Red October also infected smartphones and collected login information to test on other systems.
Red October has what Kaspersky Lab called a unique "resurrection" module that hid in Adobe Reader and Microsoft Office programmes that allowed the attackers to regain access if the virus was discovered and removed.
In addition to diplomatic and governmental agencies of various countries across the world, Red October also targeted research institutions, energy and nuclear groups, and trade and aerospace targets, added Kaspersky Lab.
Founded in 1997, Kaspersky Lab employs more than 2,300 specialists and is a leading IT security and anti-virus software company.
'Red October' cyberattack is identified
Kaspersky Labs said the malware -- designed to steal encrypted files -- targeted government entities such as embassies, nuclear research centers, and oil and gas institutes.
Kaspersky Labs' chief malware researcher, Vitaly Kamluk, said victims had been carefully selected.
"There were a quite limited set of targets that were affected -- they were carefully selected. They seem to be related to some high-profile organizations," he told the BBC.
The malware, which has been dubbed Red October, is similar to the Flame cyberattack identified last year, researchers said.
"It appears to be trying to suck up all the usual things -- word documents, PDFs, all the things you'd expect," Alan Woodward, a security expert from the University of Surrey in Britain, said.
"But a couple of the file extensions it's going after are very specific encrypted files."
Red October also has a previously unseen ability to hide on a machine as if it has been deleted, he said.
"If it's discovered, it hides. When everyone thinks the coast is clear, you just send an email and 'boof' it's back and active again."
Sixty domain names, based mostly in Germany and Russia, were created by the hackers to run the attacks, the researchers said.
Cyberwar - Internet Security News - Systems and Policy Issues