Russian lab reports major malware discovery

MOSCOW — In what is being called a new hunt for Red October, a Russian cyber-security company says it has found a major international malware system that has attacked and compromised the computers of government agencies, diplomatic consulates, research centers and defense installations, among other sensitive institutions.

The malware has siphoned off terabytes’ worth of information, much of it classified, researchers with Moscow-based Kaspersky Lab said in a report this week. The origin of the program and the motives of the attackers remain elusive, but there are hints that the programmers are Russian, the report says.

“Last October we first received from our clients samples of something we soon gathered was not just a malware program but a multi-component attack platform, initially targeting embassies around the world,” Vitaly Kamlyuk, a senior anti-virus expert at Kaspersky, said Wednesday. “We called the virus ‘Red October’ because we detected it in October and because it required a level of red-alert attention to tackle.”

Similar to the Flame virus, a now-defunct spyware program Kaspersky thwarted last year, the new virus usually infiltrates computers through an email attachment camouflaged to mimic ordinary business correspondence, the expert said.

“One embassy was looking to buy a car and received the virus in a car sale proposal they soon found in their inbox,” Kamlyuk said.

Kaspersky, a leading developer of commercial anti-virus software, said it found victims of the malware with IP addresses in 39 countries, led by Switzerland, Kazakhstan and Greece. The most common targets included embassies, government agencies and research institutes, as well as aerospace and energy companies.

Kaspersky said the malware was probably being operated by a government or criminal organization large enough to employ at least two dozen highly trained programmers.

Independent experts in the United States offered differing views on who might be responsible.

“The two primary suspects for this operation would have been either Russia or China, just based on some of the data,” said John Bumgarner, research director for the U.S. Cyber Consequences Unit, a nongovernmental think tank.

But researcher Jeffrey Carr, author of “Inside Cyber Warfare,” theorized that the malware was the work of the foreign intelligence service of a NATO or European Union country, and that the intent was to spy on Russian embassies.

“It’s a pretty good guess” that Russia’s spy service, the FSB, approached Kaspersky and asked the firm to investigate, Carr said. “One of the indications was that they were specifically looking for Russian documents.”

Kaspersky researchers said the spyware, when first installed, might be only several hundred kilobytes in size, minuscule by modern computer standards. But as it gets established and communicates with its controllers, it may grow to several megabytes.

The virus records the names of the users, their IP addresses, information stored on their processors and local disks, the history of browsers, logins and passwords, and the records of devices plugged into USB ports, including smartphones, according to the report.

Like the Flame program, the new virus can record screen shots, as well as keystrokes.

Evidence of the Red October virus dates to May 2007, Kamlyuk said. The program was embedded in Microsoft Excel and Word documents that had been used by Chinese hackers against Asian companies and Tibetan political activists, Kamlyuk said.

“But soon enough,” he said, “we realized that, despite its obvious Chinese roots and the fact that no agencies in China were in fact targets of the new malicious program, the Chinese hackers had nothing to do with Red October.”

The language used in the malware was primarily English, but not that of a native English speaker. It included Cyrillic symbols and transliterations of terms from Russian computer jargon, the researchers said.

For instance, Kamlyuk said, the malware sometimes uses the Russian word “zakladka” for “bookmark” or “marker” and “proga” for “programs.”

“Many domain names of the malware were registered under fake Russian names and addresses too,” he said.

“Now we have come to the realization that we are dealing with something programmed by Russian-speaking experts, based on Chinese hackers’ exploit documents and mostly aimed at embassies of and other targets in Russia and its former Soviet satellites,” Kamlyuk said.

Sergei Karaganov, honorary chairman of the Council on Foreign and Defense Policy, a Moscow-based think tank, said in an interview that such cyber-espionage is increasingly common and that Russia and other countries have attempted to create international protocols to combat it.

“But every time, their attempts have been thwarted by the stiff resistance on the part of the United States, which probably counts too much on its supremacy in this sphere,” he said. “On the other hand, I wouldn’t rule out the possibility of this being an ingenious trick on the part of Kaspersky Lab to boost their trade.”

More in Local News

Majority of Marysville City Council seats are contested

The most closely watched race is between Mark James and Donna Wright.

500 tires go up in flames at a store south of Everett

There were no injuries. And it was nowhere near as bad as that months-long tire fire in 1984.

Inclusion super important to Monroe High senior

Sarah Reeves worked to make homecoming more representative of the student population.

A pot deal between teens leaves them injured, facing charges

Police found out about the incident when both ended up at the same hospital that night.

Funds up for council vote would aid conservation district

District stands to receive an extra $1 million each year, if the County Council gives its approval.

Herald photos of the week

A weekly collection of The Herald’s best images by staff photographers and… Continue reading

Lake Stevens man injured by 50-foot fall near Leavenworth

The rescuers had to tie in to keep from falling due to the steep rugged terrain.

‘Welcome to fall:” Wet, windy weather in the forecast

The Weather Service is warning people to prepare for power outages, possible flooding and falling trees.

Paul Brandal, 64, walks with his 25-year-old bison, “Wobble,” across a portion of his 70-acre farm between Ebey Slough and Sunnyside Boulevard Monday afternoon. “He just knows me,” Brandle says about the 1,800-pound animal. “He follows me around like a puppy.” (Dan Bates / The Herald)
From a wobbly calf to 1,00-pound behemoth

Wobble, a huge, shaggy bison, had a precarious start in life but now is the last of his herd.

Most Read