Russian lab reports major malware discovery

MOSCOW — In what is being called a new hunt for Red October, a Russian cyber-security company says it has found a major international malware system that has attacked and compromised the computers of government agencies, diplomatic consulates, research centers and defense installations, among other sensitive institutions.

The malware has siphoned off terabytes’ worth of information, much of it classified, researchers with Moscow-based Kaspersky Lab said in a report this week. The origin of the program and the motives of the attackers remain elusive, but there are hints that the programmers are Russian, the report says.

“Last October we first received from our clients samples of something we soon gathered was not just a malware program but a multi-component attack platform, initially targeting embassies around the world,” Vitaly Kamlyuk, a senior anti-virus expert at Kaspersky, said Wednesday. “We called the virus ‘Red October’ because we detected it in October and because it required a level of red-alert attention to tackle.”

Similar to the Flame virus, a now-defunct spyware program Kaspersky thwarted last year, the new virus usually infiltrates computers through an email attachment camouflaged to mimic ordinary business correspondence, the expert said.

“One embassy was looking to buy a car and received the virus in a car sale proposal they soon found in their inbox,” Kamlyuk said.

Kaspersky, a leading developer of commercial anti-virus software, said it found victims of the malware with IP addresses in 39 countries, led by Switzerland, Kazakhstan and Greece. The most common targets included embassies, government agencies and research institutes, as well as aerospace and energy companies.

Kaspersky said the malware was probably being operated by a government or criminal organization large enough to employ at least two dozen highly trained programmers.

Independent experts in the United States offered differing views on who might be responsible.

“The two primary suspects for this operation would have been either Russia or China, just based on some of the data,” said John Bumgarner, research director for the U.S. Cyber Consequences Unit, a nongovernmental think tank.

But researcher Jeffrey Carr, author of “Inside Cyber Warfare,” theorized that the malware was the work of the foreign intelligence service of a NATO or European Union country, and that the intent was to spy on Russian embassies.

“It’s a pretty good guess” that Russia’s spy service, the FSB, approached Kaspersky and asked the firm to investigate, Carr said. “One of the indications was that they were specifically looking for Russian documents.”

Kaspersky researchers said the spyware, when first installed, might be only several hundred kilobytes in size, minuscule by modern computer standards. But as it gets established and communicates with its controllers, it may grow to several megabytes.

The virus records the names of the users, their IP addresses, information stored on their processors and local disks, the history of browsers, logins and passwords, and the records of devices plugged into USB ports, including smartphones, according to the report.

Like the Flame program, the new virus can record screen shots, as well as keystrokes.

Evidence of the Red October virus dates to May 2007, Kamlyuk said. The program was embedded in Microsoft Excel and Word documents that had been used by Chinese hackers against Asian companies and Tibetan political activists, Kamlyuk said.

“But soon enough,” he said, “we realized that, despite its obvious Chinese roots and the fact that no agencies in China were in fact targets of the new malicious program, the Chinese hackers had nothing to do with Red October.”

The language used in the malware was primarily English, but not that of a native English speaker. It included Cyrillic symbols and transliterations of terms from Russian computer jargon, the researchers said.

For instance, Kamlyuk said, the malware sometimes uses the Russian word “zakladka” for “bookmark” or “marker” and “proga” for “programs.”

“Many domain names of the malware were registered under fake Russian names and addresses too,” he said.

“Now we have come to the realization that we are dealing with something programmed by Russian-speaking experts, based on Chinese hackers’ exploit documents and mostly aimed at embassies of and other targets in Russia and its former Soviet satellites,” Kamlyuk said.

Sergei Karaganov, honorary chairman of the Council on Foreign and Defense Policy, a Moscow-based think tank, said in an interview that such cyber-espionage is increasingly common and that Russia and other countries have attempted to create international protocols to combat it.

“But every time, their attempts have been thwarted by the stiff resistance on the part of the United States, which probably counts too much on its supremacy in this sphere,” he said. “On the other hand, I wouldn’t rule out the possibility of this being an ingenious trick on the part of Kaspersky Lab to boost their trade.”

More in Local News

Former Monroe cop loses appeal on sex crimes conviction

Once a highly respected officer, he was found guilty of secretly videotaping his kids’ babysitter.

Shock from WSU suicide ripples through Snohomish County

Roughly 1 in 10 seniors, sophomores and 8th-graders said they had attempted to take their own lives.

Possible bobcat sighting keeps Snohomish students inside

The creature was spotted on the campus of Valley View Middle School around noon.

Derrick “Wiz” Crawford, 22, is a suspect in the homicide of his roommate. (Edmonds Police Department)
Roommate suspected in Edmonds killing found hiding in closet

Police had been searching for him for 10 days before locating him at a house in Everett.

Stabbing in Everett follows dispute between brothers-in-law

The victim, 54, was hospitalized. The suspect, 29, had not been apprehended Thursday.

New leaders coming to county, state political parties

Hillary Moralez of Bothell takes over as chair for the Snohomish County Democratic Party.

Camano Island man gets 18 years for role in drug ring

He was convicted of helping lead a drug distribution network in four Washington counties.

Lake Stevens man missing since beginning of January

Jason Michael Knox White hasn’t used his credit card or withdrawn money from his bank since then.

Deal reached on water bill clears way for action on capital budget

A lot of funding will to go toward housing, schools and projects in Snohomish County and statewide.

Most Read