A flexible cyber-espionage malware program, named Red October, stole sensitive documents and data from government and scientific research organisations for at least five years, according to research by intrusion detection and prevention company Kaspersky Lab.

The cyber-espionage campaign’s primary focus targeted countries in Eastern Europe, former Soviet Republics and countries in Central Asia, although victims were identified everywhere, including Western Europe and North America.

“The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems and data from personal mobile devices and network equipment,” states the January 2013 research report.

Kaspersky Lab started its investigation in October, following a series of attacks on the computer networks of international diplomatic service agencies. A large-scale cyber-espionage network was exposed and analysed during the investigation. Operation Red October, or Rocra, was still active last month and has been a sustained campaign dating back to 2007.

The attackers focused on diplomatic and government agencies of various countries worldwide, in addition to research institutions and energy and nuclear groups, as well as trade and aerospace organisations. Their malware has a unique modular architecture that uses malicious extensions, info-stealing modules and backdoor Trojans. They often used information from infected networks to gain entry into additional systems. For example, a list of stolen credentials was compiled and used when the attackers needed to guess passwords or phrases to gain access to additional systems.

To control the network of infected machines, the attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority being in Germany and Russia.

Kaspersky Lab’s analysis of Rocra’s com-mand and control infrastructure shows that the chain of servers was actually working as proxies to hide the location of the ‘mother-ship’ control server.

Information stolen from infected systems includes documents with the extensions txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. The ‘acid’ extensions, in particular, appear to refer to the classified software Acid Cryptofiler, which is used by several entities, such as the European Union and the North Atlantic Treaty Organisataion.

To infect systems, the attackers sent a targeted, spear-phishing email to a victim, which included a customised Trojan dropper. To install the malware and infect the system, the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel.

The exploits from the documents used in the spear-phishing emails had been created by other attackers and had been employed during previous cyber attacks. The only change in the document used by Rocra was the embedded executable, which the attackers replaced with their own code.

Notably, one of the commands in the Trojan dropper changed the default system code page of the command prompt session to 1251, which is required to render Cyrillic fonts.

The Kaspersky Security Network (KSN) used detection statistics to report telemetry and deliver advanced threat protection in the form of blacklists and heuristic rules. The KSN had detected the exploit code used in the malware as early as 2011, which enabled Kaspersky Lab to search for similar detections related to Rocra.

The research team also created a sinkhole server to monitor infected machines connecting to Rocra’s command and control servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.

Based on the registration data of command and control servers and the numerous artefacts left in the executables of the malware, there is strong technical evidence that supports the notion that the attackers are of Russian origin.

Kaspersky Lab, in collaboration with international organisations, law enforcement agencies and computer emergency response teams, is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.