A cyberweapon has been lurking in the depths of the Internet, and an unknown number of computer systems, for more than five years. The malware, discovered by Kaspersky Labs last fall and dubbed "Red October," targets encrypted files at critical facilities ranging from embassies to nuclear research centers to gas and oil operations.
One outside expert, Alan Woodward of the University of Surrey in Britain, characterized the Red October attacks as "very significant." Added Woodward, the malware "appears to be trying to suck up all the usual things - word documents, PDFs, all the things you'd expect." But in addition," he said, "a couple of the file extensions it's going after are very specific encrypted files."
A statement from Kaspersky Labs noted that the attacks were designed to obtain sensitive documents ranging from geopolitical intelligence reports to system access credentials and data taken from individuals' mobile devices. And, says Vitaly Kamluk, chief malware researcher at Kaspersky Labs, Red October's targets seem to be "carefully chosen."
Red October has some previously unseen capabilities, such as recovering files that users think they have deleted. It also "hides" on a machine if detected, waiting to be triggered back into action by an email.
The cyberweapon was discovered last October. Its name, given by Kaspersky, refers back to a submarine in the 1980s vintage technothriller "The Hunt For Red October." Technical features of Red October have much in common with the Flame malware reported last year. Like Flame, it consists of several different modules, each with a specific function.
Red October's origin remains uncertain. Its code contains what looks like Russian-influenced English, but the University of Surrey's Woodward noted that this could be a "false flag" deception.
Flame has been widely reported to have features suggesting an origin related to the Stuxnet worm. Stuxnet in turn is believed by many observers to be the product of Western intelligence agencies.