Menu

Hackers

'Red October' cyberspies sucked data from governments worldwide, researchers say

Red October Infographic Kaspersky.jpg

Victims of the "Red October" attackers, which were primarily diplomatic/government organizations, scientific research institutions, nuclear and energy groups, and targets in the trade and aerospace industries.Kaspersky Lab

A group of Russian-speaking coders built a sophisticated spy network that has been sucking data from governments, embassies, and aerospace and research institutions around the world, researchers say -- and the five-year-old campaign is still actively siphoning info from the U.S. and Western Europe.

“We estimate the total amount of exfiltrated data to be in the petabytes,” Roel Schouwenberg, a senior researcher with Kaspersky Lab, told FoxNews.com.

A petabyte is 1 million gigabytes, the data equivalent of hundreds of academic research libraries.

'These guys knew very much what they were after.'

- Roel Schouwenberg, a senior researcher with Kaspersky Lab

Kaspersky released a research report on Monday identifying Operation “Red October,” said the group had written its own highly sophisticated malware, dubbed “Rocra.”

“It’s very, very well executed -- a truly sophisticated attack,” Schouwenberg said. Rocra’s unique, modular architecture is comprised of more than 30 pieces of malware -- malicious extensions, info-stealing modules and backdoor Trojans, he explained.

“This is custom-created malware with novel ideas on how to pull Internet responders, how to get access, and how to regain access to machines that have been cleaned off of malware -- which is really a very interesting approach,” he said.

One part of the spyware even targets classified software most of the world has never heard of: a classified government application used to encrypt sensitive communications. Schouwenberg said Rocra was “Hoovering" up anything it could get its hands on: credentials, passwords, office documents, archives, data from Internet phones and more.

It was even seeking out file types his group had never heard of before.

“These file types belong to a piece of software that’s classified, used by the European parliament and NATO. There’s very little information about it on the Internet,” Schouwenberg told FoxNews.com. “These guys knew very much what they were after.”

Kaspersky Labs said it couldn’t concretely identify which nation state was responsible for the spy network. Rocra uses code similar to that used by Chinese hackers, Schouwenberg noted, but the malware has Russian references as well, slang words, and so on.

“We are really quite confident that the attackers behind this were Russian-speaking, but we have no idea about their geographic location -- whether they’re in the Ukraine, or Brooklyn, New York,” he told FoxNews.com.

His company’s software has blocked this type of attack generically for a long time, he said, and they specific fix has been shared with other security researchers.

The five-year-old spy network, while far more advanced than the average attack one sees on a daily basis from China, is highly advanced, he said.

“One can only imagine the sophistication of the stuff that’s being developed now by nation states.”