Russian lab reports major malware discovery

MOSCOW — In what is being called a new hunt for Red October, a Russian cyber-security company says it has found a major international malware system that has attacked and compromised the computers of government agencies, diplomatic consulates, research centers and defense installations, among other sensitive institutions.

The malware has siphoned off terabytes’ worth of information, much of it classified, researchers with Moscow-based Kaspersky Lab said in a report this week. The origin of the program and the motives of the attackers remain elusive, but there are hints that the programmers are Russian, the report says.

“Last October we first received from our clients samples of something we soon gathered was not just a malware program but a multi-component attack platform, initially targeting embassies around the world,” Vitaly Kamlyuk, a senior anti-virus expert at Kaspersky, said Wednesday. “We called the virus ‘Red October’ because we detected it in October and because it required a level of red-alert attention to tackle.”

Similar to the Flame virus, a now-defunct spyware program Kaspersky thwarted last year, the new virus usually infiltrates computers through an email attachment camouflaged to mimic ordinary business correspondence, the expert said.

“One embassy was looking to buy a car and received the virus in a car sale proposal they soon found in their inbox,” Kamlyuk said.

Kaspersky, a leading developer of commercial anti-virus software, said it found victims of the malware with IP addresses in 39 countries, led by Switzerland, Kazakhstan and Greece. The most common targets included embassies, government agencies and research institutes, as well as aerospace and energy companies.

Kaspersky said the malware was probably being operated by a government or criminal organization large enough to employ at least two dozen highly trained programmers.

Independent experts in the United States offered differing views on who might be responsible.

“The two primary suspects for this operation would have been either Russia or China, just based on some of the data,” said John Bumgarner, research director for the U.S. Cyber Consequences Unit, a nongovernmental think tank.

But researcher Jeffrey Carr, author of “Inside Cyber Warfare,” theorized that the malware was the work of the foreign intelligence service of a NATO or European Union country, and that the intent was to spy on Russian embassies.

“It’s a pretty good guess” that Russia’s spy service, the FSB, approached Kaspersky and asked the firm to investigate, Carr said. “One of the indications was that they were specifically looking for Russian documents.”

Kaspersky researchers said the spyware, when first installed, might be only several hundred kilobytes in size, minuscule by modern computer standards. But as it gets established and communicates with its controllers, it may grow to several megabytes.

The virus records the names of the users, their IP addresses, information stored on their processors and local disks, the history of browsers, logins and passwords, and the records of devices plugged into USB ports, including smartphones, according to the report.

Like the Flame program, the new virus can record screen shots, as well as keystrokes.

Evidence of the Red October virus dates to May 2007, Kamlyuk said. The program was embedded in Microsoft Excel and Word documents that had been used by Chinese hackers against Asian companies and Tibetan political activists, Kamlyuk said.

“But soon enough,” he said, “we realized that, despite its obvious Chinese roots and the fact that no agencies in China were in fact targets of the new malicious program, the Chinese hackers had nothing to do with Red October.”

The language used in the malware was primarily English, but not that of a native English speaker. It included Cyrillic symbols and transliterations of terms from Russian computer jargon, the researchers said.

For instance, Kamlyuk said, the malware sometimes uses the Russian word “zakladka” for “bookmark” or “marker” and “proga” for “programs.”

“Many domain names of the malware were registered under fake Russian names and addresses too,” he said.

“Now we have come to the realization that we are dealing with something programmed by Russian-speaking experts, based on Chinese hackers’ exploit documents and mostly aimed at embassies of and other targets in Russia and its former Soviet satellites,” Kamlyuk said.

Sergei Karaganov, honorary chairman of the Council on Foreign and Defense Policy, a Moscow-based think tank, said in an interview that such cyber-espionage is increasingly common and that Russia and other countries have attempted to create international protocols to combat it.

“But every time, their attempts have been thwarted by the stiff resistance on the part of the United States, which probably counts too much on its supremacy in this sphere,” he said. “On the other hand, I wouldn’t rule out the possibility of this being an ingenious trick on the part of Kaspersky Lab to boost their trade.”

More in Local News

Snohomish man, 63, missing from home since Monday

He left without his keys, wallet and phone, saying something about going to “the river.”

Firefighters come to the rescue and give mom new stroller

Donations to the Good Neighbor Program covered the $143.20 cost.

Case unresolved: The noose at an Edmonds construction site

Though two were fired over comments about it, police were unable to determine who put it there.

To get drug money, Lynnwood man says he cut 911 wires

Those wires happened to be the ones used by 911 dispatchers, but emergency services weren’t affected.

February trial set for suspect in deadly Marysville shooting

There had been questions about Wayne Alpert’s mental health.

Fatal car crash reported on Highway 92 near Lake Stevens

The 3 p.m. accident and investigation stopped traffic in both directions near Machias Road.

Motorcyclist killed in crash had high level of THC

A motorcyclist had more than eight times the legal limit… Continue reading

Investigation recommends girl shot by officers face charges

The teen is accused of assaulting her boyfriend and the responding police officers.

Signs show the rates for using the express toll lanes for traffic headed southbound on Interstate 405, Tuesday, Feb. 16, 2016, in Bothell, Wash. Gov. Jay Inslee announced plans Tuesday to try to decrease congestion on I-405 in answer to commuter complaints that the new express lane tolling system is making traffic worse. The governor said he would not be shutting down the tolling system as some people have called for. But the state transportation department is making plans to add new northbound general purpose lanes to ease some of the congestion and also plan to make it easier to move into and out of the express lanes. (AP Photo/Elaine Thompson)
Higher tolls could improve traffic speed in I-405 toll lanes

A report recommends lifting on the maximum toll and charging only by segment.

Most Read