Future news will highlight.
Note "The Hunt For" was dropped.
Details matter.
Q
In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”).
This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.
The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment.
The earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013).
Besides that, registration data used for the purchase of several Command & Control (C&C) servers and unique malware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.
Advanced Cyber-espionage Network: The attackers have been active for at least several years, focusing on diplomatic and governmental agencies of various countries across the world.
Information harvested from infected networks was reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess secret phrase in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the ‘mothership’ control server.
Unique architecture: The attackers created a multi-functional kit which has a capability of quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attack to recover access to infected machines using alternative communication channels.
Broad variety of targets: Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile), enterprise network equipment (Cisco), removable disk drives (including already deleted files via a custom file recovery procedure).
Importation of exploits: The samples we managed to find were using exploit code for vulnerabilities in Microsoft Word and Microsoft Excel that were created by other attackers and employed during different cyber attacks. The attackers left the imported exploit code untouched, perhaps to harden the identification process.
Attacker identification: Basing on registration data of C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related to any other targeted cyberattacks.
https:// securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/
With Rocra, however, Kaspersky suggested that the exploits were the work of Chinese hackers, while the Rocra malware modules - which scan networks and collect data - appear to have been created by Russian-speaking operatives.
"The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide," Kaspersky said. "During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used. It is possible that the information was sold on the black market, or used directly."
At this point, Rocra is "still active," and data is being sent to multiple command-and-control servers, which "rivals in complexity the infrastructure of the Flame malware." Still, Kaspersky could not find any connection between Rocra and Flame.
"Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more 'personal' and finely tuned for the victims," Kaspersky concluded.
https:// www.pcmag.com/article2/0,2817,2414260,00.asp
So it sounds like RED OCTOBER is still running and collecting data? Who is receiving that data?