posted on Jan, 14 2013 @ 08:51 PM
reply to post by ashtonhz8907
Oh you beat me to it! I'm literally writing my thread up now, which I guess I can delete
This is absolutely bananas! As you read above for at least 5 years high profile individuals, who have not been named, were specifically targeted by
hackers/spies to extract all of their data from their computers, USB drives, mobile phones, tablets, you name it! Who was doing this? Well, the
security company that uncovered this suggests the spies are of Russian origin due to Russian language being discovered, ie Russian slang non native
speakers generally don't know, and some of the collection servers were found to be in Russia although others were also found in Germany. But the
company also suggests the Russian connection could very well be a Red Herring and really doesn't know who is beyond this complex computer hacker spy
If you guys thought the Java security was an issue you ain't seen nothing yet!
I suggest you all read the Wire.com article for a good time!
Cybersleuths Uncover 5-Year Spy Operation Targeting Governments, Others |
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that
the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected
information from hundreds of high-profile victims, although it’s unknown how the information was used.”
The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking
to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu.
The malware the attackers use is highly modular and customized for each victim, who are assigned a unique ID that is hardcoded into the malware
modules they receive.
“The victim ID is basically a 20-hex digit number,” Raiu says. “But we haven’t been able to figure out any method to extract any other
information from the victim ID…. They are compiling the modules right before putting them into the booby-trapped documents, which are also
customized to the specific target with a lure that can be interesting to the victim. What we are talking about is a very targeted and very customized
operation, and each victim is pretty much unique in what they receive.”
Each module is designed to perform various tasks — extract passwords, steal browser history, log keystrokes, take screenshots, identify and
fingerprint Cisco routers and other equipment on the network, steal email from local Outlook storage or remote POP/IMAP servers, and siphon documents
from the computer and from local network FTP servers. One module designed to steal files from USB devices attached to an infected machine uses a
customized procedure to find and recover deleted files from the USB stick.
A separate mobile module detects when a victim connects an iPhone, Nokia or Windows phone to the computer and steals the contact list, SMS messages,
call and browsing history, calendar information and any documents stored on the phone.
Based on search parameters uncovered in some of the modules, the attackers are looking for a wide variety of documents, including .pdf files, Excel
spreadsheets, .csv files and, in particular, any documents with various .acid extensions. These refer to documents run through Acid Cryptofiler, an
encryption program developed by the French military, which is on a list of crypto software approved for use by the European Union and NATO.
Kaspersky says the campaign is much more sophisticated than other extensive spy operations exposed in recent years, such as Aurora, which targeted
Google and more than two dozen other companies, or the Night Dragon attacks that targeted energy companies for four years.
“Generally speaking, the Aurora and Night Dragon campaigns used relatively simple malware to steal confidential information,” Kaspersky writes in
its report. With Red October, “the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while
continuing to exfiltrate what must be hundreds of Terabytes by now.”
The infection occurs in two stages and generally comes via a spear-phishing attack. The malware first installs a backdoor onto systems to establish a
foothold and open a channel of communication to the command-and-control servers. From there, the attackers download any of a number of different
modules to the machine.
Raiu says the command-and-control servers are set up in a chain, with three levels of proxies, to hide the location of the “mothership” and
prevent investigators from tracing back to the final collection point. Somewhere, he says, lies a “super server” that automatically processes all
of the stolen documents, keystrokes and screenshots, organized per unique victim ID.
“Considering there are hundreds of victims, the only possibility is that there is a huge automated infrastructure which keeps track of … all these
different dates an which documents have been downloaded during which timeframe,” Raiu says.”This gives them a wide view of everything related to a
single victim to manage the infection, to send more modules or determine what documents they still want to obtain.”
edit on 14-1-2013 by Swills because: (no