Russian lab reports major malware discovery

MOSCOW — In what is being called a new hunt for Red October, a Russian cyber-security company says it has found a major international malware system that has attacked and compromised the computers of government agencies, diplomatic consulates, research centers and defense installations, among other sensitive institutions.

The malware has siphoned off terabytes’ worth of information, much of it classified, researchers with Moscow-based Kaspersky Lab said in a report this week. The origin of the program and the motives of the attackers remain elusive, but there are hints that the programmers are Russian, the report says.

“Last October we first received from our clients samples of something we soon gathered was not just a malware program but a multi-component attack platform, initially targeting embassies around the world,” Vitaly Kamlyuk, a senior anti-virus expert at Kaspersky, said Wednesday. “We called the virus ‘Red October’ because we detected it in October and because it required a level of red-alert attention to tackle.”

Similar to the Flame virus, a now-defunct spyware program Kaspersky thwarted last year, the new virus usually infiltrates computers through an email attachment camouflaged to mimic ordinary business correspondence, the expert said.

“One embassy was looking to buy a car and received the virus in a car sale proposal they soon found in their inbox,” Kamlyuk said.

Kaspersky, a leading developer of commercial anti-virus software, said it found victims of the malware with IP addresses in 39 countries, led by Switzerland, Kazakhstan and Greece. The most common targets included embassies, government agencies and research institutes, as well as aerospace and energy companies.

Kaspersky said the malware was probably being operated by a government or criminal organization large enough to employ at least two dozen highly trained programmers.

Independent experts in the United States offered differing views on who might be responsible.

“The two primary suspects for this operation would have been either Russia or China, just based on some of the data,” said John Bumgarner, research director for the U.S. Cyber Consequences Unit, a nongovernmental think tank.

But researcher Jeffrey Carr, author of “Inside Cyber Warfare,” theorized that the malware was the work of the foreign intelligence service of a NATO or European Union country, and that the intent was to spy on Russian embassies.

“It’s a pretty good guess” that Russia’s spy service, the FSB, approached Kaspersky and asked the firm to investigate, Carr said. “One of the indications was that they were specifically looking for Russian documents.”

Kaspersky researchers said the spyware, when first installed, might be only several hundred kilobytes in size, minuscule by modern computer standards. But as it gets established and communicates with its controllers, it may grow to several megabytes.

The virus records the names of the users, their IP addresses, information stored on their processors and local disks, the history of browsers, logins and passwords, and the records of devices plugged into USB ports, including smartphones, according to the report.

Like the Flame program, the new virus can record screen shots, as well as keystrokes.

Evidence of the Red October virus dates to May 2007, Kamlyuk said. The program was embedded in Microsoft Excel and Word documents that had been used by Chinese hackers against Asian companies and Tibetan political activists, Kamlyuk said.

“But soon enough,” he said, “we realized that, despite its obvious Chinese roots and the fact that no agencies in China were in fact targets of the new malicious program, the Chinese hackers had nothing to do with Red October.”

The language used in the malware was primarily English, but not that of a native English speaker. It included Cyrillic symbols and transliterations of terms from Russian computer jargon, the researchers said.

For instance, Kamlyuk said, the malware sometimes uses the Russian word “zakladka” for “bookmark” or “marker” and “proga” for “programs.”

“Many domain names of the malware were registered under fake Russian names and addresses too,” he said.

“Now we have come to the realization that we are dealing with something programmed by Russian-speaking experts, based on Chinese hackers’ exploit documents and mostly aimed at embassies of and other targets in Russia and its former Soviet satellites,” Kamlyuk said.

Sergei Karaganov, honorary chairman of the Council on Foreign and Defense Policy, a Moscow-based think tank, said in an interview that such cyber-espionage is increasingly common and that Russia and other countries have attempted to create international protocols to combat it.

“But every time, their attempts have been thwarted by the stiff resistance on the part of the United States, which probably counts too much on its supremacy in this sphere,” he said. “On the other hand, I wouldn’t rule out the possibility of this being an ingenious trick on the part of Kaspersky Lab to boost their trade.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Ariel Garcia, 4, was last seen Wednesday morning in an apartment in the 4800 block of Vesper Dr. (Photo provided by Everett Police)
How to donate to the family of Ariel Garcia

Everett police believe the boy’s mother, Janet Garcia, stabbed him repeatedly and left his body in Pierce County.

A ribbon is cut during the Orange Line kick off event at the Lynnwood Transit Center on Saturday, March 30, 2024 in Lynnwood, Washington. (Annie Barker / The Herald)
‘A huge year for transit’: Swift Orange Line begins in Lynnwood

Elected officials, community members celebrate Snohomish County’s newest bus rapid transit line.

Bethany Teed, a certified peer counselor with Sunrise Services and experienced hairstylist, cuts the hair of Eli LeFevre during a resource fair at the Carnegie Resource Center on Wednesday, March 6, 2024, in downtown Everett, Washington. (Ryan Berry / The Herald)
Carnegie center is a one-stop shop for housing, work, health — and hope

The resource center in downtown Everett connects people to more than 50 social service programs.

Everett mall renderings from Brixton Capital. (Photo provided by the City of Everett)
Topgolf at the Everett Mall? Mayor’s hint still unconfirmed

After Cassie Franklin’s annual address, rumors circled about what “top” entertainment tenant could be landing at Everett Mall.

Snohomish City Hall on Friday, April 12, 2024 in Snohomish, Washington. (Olivia Vanni / The Herald)
Snohomish may sell off old City Hall, water treatment plant, more

That’s because, as soon as 2027, Snohomish City Hall and the police and public works departments could move to a brand-new campus.

Lewis the cat weaves his way through a row of participants during Kitten Yoga at the Everett Animal Shelter on Saturday, April 13, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Downward cat? At kitten yoga in Everett, it’s all paw-sitive vibes

It wasn’t a stretch for furry felines to distract participants. Some cats left with new families — including a reporter.

FILE - In this Friday, March 31, 2017, file photo, Boeing employees walk the new Boeing 787-10 Dreamliner down towards the delivery ramp area at the company's facility in South Carolina after conducting its first test flight at Charleston International Airport in North Charleston, S.C. Federal safety officials aren't ready to give back authority for approving new planes to Boeing when it comes to the large 787 jet, which Boeing calls the Dreamliner, Tuesday, Feb. 15, 2022. The plane has been plagued by production flaws for more than a year.(AP Photo/Mic Smith, File)
Boeing pushes back on Everett whistleblower’s allegations

Two Boeing engineering executives on Monday described in detail how panels are fitted together, particularly on the 787 Dreamliner.

Ferry workers wait for cars to start loading onto the M/V Kitsap on Friday, Dec. 1, 2023 in Mukilteo, Washington. (Olivia Vanni / The Herald)
Struggling state ferry system finds its way into WA governor’s race

Bob Ferguson backs new diesel ferries if it means getting boats sooner. Dave Reichert said he took the idea from Republicans.

Traffic camera footage shows a crash on northbound I-5 near Arlington that closed all lanes of the highway Monday afternoon. (Washington State Department of Transportation)
Woman dies almost 2 weeks after wrong-way I-5 crash near Arlington

On April 1, Jason Lee was driving south on northbound I-5 near the Stillaguamish River bridge when he crashed into a car. Sharon Heeringa later died.

Owner Fatou Dibba prepares food at the African Heritage Restaurant on Saturday, April 6, 2024 in Everett, Washington. (Annie Barker / The Herald)
Oxtail stew and fufu: Heritage African Restaurant in Everett dishes it up

“Most of the people who walk in through the door don’t know our food,” said Fatou Dibba, co-owner of the new restaurant at Hewitt and Broadway.

A pig and her piglets munch on some leftover food from the Darrington School District’s cafeteria at the Guerzan homestead on Friday, March 15, 2024, in Darrington, Washington. Eileen Guerzan, a special education teacher with the district, frequently brings home food scraps from the cafeteria to feed to her pigs, chickens and goats. (Ryan Berry / The Herald)
‘A slopportunity’: Darrington school calls in pigs to reduce food waste

Washingtonians waste over 1 million tons of food every year. Darrington found a win-win way to divert scraps from landfills.

Foamy brown water, emanating a smell similar to sewage, runs along the property line of Lisa Jansson’s home after spilling off from the DTG Enterprises property on Tuesday, March 5, 2024, in Snohomish, Washington. Jansson said the water in the small stream had been flowing clean and clear only a few weeks earlier. (Ryan Berry / The Herald)
Neighbors of Maltby recycling facility assert polluted runoff, noise

For years, the DTG facility has operated without proper permits. Residents feel a heavy burden as “watchdogs” holding the company accountable.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.