Russian lab reports major malware discovery

MOSCOW — In what is being called a new hunt for Red October, a Russian cyber-security company says it has found a major international malware system that has attacked and compromised the computers of government agencies, diplomatic consulates, research centers and defense installations, among other sensitive institutions.

The malware has siphoned off terabytes’ worth of information, much of it classified, researchers with Moscow-based Kaspersky Lab said in a report this week. The origin of the program and the motives of the attackers remain elusive, but there are hints that the programmers are Russian, the report says.

“Last October we first received from our clients samples of something we soon gathered was not just a malware program but a multi-component attack platform, initially targeting embassies around the world,” Vitaly Kamlyuk, a senior anti-virus expert at Kaspersky, said Wednesday. “We called the virus ‘Red October’ because we detected it in October and because it required a level of red-alert attention to tackle.”

Similar to the Flame virus, a now-defunct spyware program Kaspersky thwarted last year, the new virus usually infiltrates computers through an email attachment camouflaged to mimic ordinary business correspondence, the expert said.

“One embassy was looking to buy a car and received the virus in a car sale proposal they soon found in their inbox,” Kamlyuk said.

Kaspersky, a leading developer of commercial anti-virus software, said it found victims of the malware with IP addresses in 39 countries, led by Switzerland, Kazakhstan and Greece. The most common targets included embassies, government agencies and research institutes, as well as aerospace and energy companies.

Kaspersky said the malware was probably being operated by a government or criminal organization large enough to employ at least two dozen highly trained programmers.

Independent experts in the United States offered differing views on who might be responsible.

“The two primary suspects for this operation would have been either Russia or China, just based on some of the data,” said John Bumgarner, research director for the U.S. Cyber Consequences Unit, a nongovernmental think tank.

But researcher Jeffrey Carr, author of “Inside Cyber Warfare,” theorized that the malware was the work of the foreign intelligence service of a NATO or European Union country, and that the intent was to spy on Russian embassies.

“It’s a pretty good guess” that Russia’s spy service, the FSB, approached Kaspersky and asked the firm to investigate, Carr said. “One of the indications was that they were specifically looking for Russian documents.”

Kaspersky researchers said the spyware, when first installed, might be only several hundred kilobytes in size, minuscule by modern computer standards. But as it gets established and communicates with its controllers, it may grow to several megabytes.

The virus records the names of the users, their IP addresses, information stored on their processors and local disks, the history of browsers, logins and passwords, and the records of devices plugged into USB ports, including smartphones, according to the report.

Like the Flame program, the new virus can record screen shots, as well as keystrokes.

Evidence of the Red October virus dates to May 2007, Kamlyuk said. The program was embedded in Microsoft Excel and Word documents that had been used by Chinese hackers against Asian companies and Tibetan political activists, Kamlyuk said.

“But soon enough,” he said, “we realized that, despite its obvious Chinese roots and the fact that no agencies in China were in fact targets of the new malicious program, the Chinese hackers had nothing to do with Red October.”

The language used in the malware was primarily English, but not that of a native English speaker. It included Cyrillic symbols and transliterations of terms from Russian computer jargon, the researchers said.

For instance, Kamlyuk said, the malware sometimes uses the Russian word “zakladka” for “bookmark” or “marker” and “proga” for “programs.”

“Many domain names of the malware were registered under fake Russian names and addresses too,” he said.

“Now we have come to the realization that we are dealing with something programmed by Russian-speaking experts, based on Chinese hackers’ exploit documents and mostly aimed at embassies of and other targets in Russia and its former Soviet satellites,” Kamlyuk said.

Sergei Karaganov, honorary chairman of the Council on Foreign and Defense Policy, a Moscow-based think tank, said in an interview that such cyber-espionage is increasingly common and that Russia and other countries have attempted to create international protocols to combat it.

“But every time, their attempts have been thwarted by the stiff resistance on the part of the United States, which probably counts too much on its supremacy in this sphere,” he said. “On the other hand, I wouldn’t rule out the possibility of this being an ingenious trick on the part of Kaspersky Lab to boost their trade.”

More in Local News

Man suspected of robbing Rite Aids

Mill Creek police released a sketch Monday evening of the suspect.

Teen charged with murder in shooting over car

A Lynnwood teen has been charged with second-degree murder for… Continue reading

Work begins on Everett housing for homeless, mentally ill

The complex on Berkshire Drive will have 65 apartments and is expected to be complete next year.

Police looking for Lynnwood bank robber

The robber did not flash a weapon to the teller at a U.S. Bank.

Here’s how much property taxes will rise to pay for schools

The owner of a $350,000 home is looking at a property-tax hike of nearly $300 this year.

Everett man accused of causing his baby’s brain damage

He told police he shook his son to get him to stop crying, and the boy slipped out of his hands.

At one point she dropped out; now she’s graduation-bound

Anita Bradford-Diaz has had her share of setbacks, but they only seem to increase her motivation.

Employee threats caused lockdown at Arlington elementary

Arlington Police said all students and staff were.

Residents are helping turn Casino Road in a new direction

An initiative backed by a $700,000 grant goes to the community for solutions to the area’s challenges.

Most Read