Cyber-attack running for five years cracked by Kaspersky

By Graeme Burton
14 Jan 2013 View Comments

A major cyber-attack that steals encrypted files, believed to have been targeted at embassies, nuclear research centres and energy organisations, has been uncovered by anti-virus software vendor Kaspersky.

The company claims that it has been running since 2007 and was focused on stealing and sending documents, including encrypted files and files that had been deleted.

Further reading

Kaspersky, which uncovered the attacks, released an analysis on SecureList today: "During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment," it claimed.

It added: "The campaign... is currently still active, with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C [command and control] domain names and 'PE' timestamps from collected executables suggest that these attacks date as far back as May 2007."

The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment," it claimed in a statement.

The epicentre of infections was Russia, with 35 identified infections, followed by Kazakhstan with 21 and Azerbaijan with 15. Other countries with identified infections were Iran with seven, the US with six, and Pakistan with five - although Turkmenistan, Ukraine, Belarus and Armenia, all former states of the Soviet Union - figured prominently.

"Based on registration data of the C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related to any other targeted cyber attacks," claimed Kaspersky.

The use of Russian slang within the malware, though, might be a "false flag", warned Professor Alan Woodward, visiting professor at the Department of Computing at the University of Surrey. 

Kaspersky, though, pointed the finger of suspicion at Russian and Chinese attackers, with the exploits having been created by Chinese hackers, while the malware modules were created by Russian-speaking hackers. 

"Currently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere," it said. 

The malware typically took advantage of three known vulnerabilities in Microsoft Excel and Word to drop a Trojan on targeted PCs. Once infected, the malware scans the local area network to find other hosts with the same flaws that it can attack.

Kaspersky says that it uncovered the attack in October 2012 - hence the name - and that it seemed to attack eight main sectors: 

  1. Government;
  2. Diplomatic/embassies;
  3. Research institutions;  
  4. Trade and commerce; 
  5. Nuclear and energy research; 
  6. Oil and gas companies; 
  7. Aerospace;  
  8. Military.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

37 %
27 %
15 %
21 %