Targets include counties in Western Europe and North America, but the main targets are in Eastern Europe, the former USSR and Central Asia, according to the security firm’s latest research report.
The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
The cyber espionage network was discovered when Kaspersky Lab began an investigation after a series of attacks against computer networks targeting international diplomatic service agencies in October 2012.
Researchers said the cyber espionage campaign, dubbed Operation Red October, is still active and dates back as far as 2007.
Characteristics of Rocra malware
- Resurrection module: The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides the attackers a fool-proof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched.
- Advanced cryptographic spy modules: The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as Acid Cryptofiler, which is used in organisations such as Nato to protect sensitive information.
- Mobile devices: In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia and Windows Mobile).
- Network equipment: The malware is also capable of stealing configuration information from enterprise network equipment, such as routers and switches, as well as deleted files from removable disk drives.
The campaign uses custom malware called Rocra that has its own unique modular architecture made up of malicious extensions, information-stealing modules and backdoor Trojans.
The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems, the researchers said.
For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.
To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia.
Analysis of Rocra’s command and control infrastructure shows that the chain of servers was actually working as proxies to hide the location of the "mothership" control server.
Information stolen from infected systems includes documents with a wide variety of extensions, including those that appear to refer to classified software used by the European Union, Nato and other entities.
Spear phishing attacks
To infect systems, the attackers sent a targeted spear phishing email to a victim that included a customised Trojan dropper.
The malicious email included exploits that were aimed at security vulnerabilities inside Microsoft Office and Microsoft Excel.
Read more on cyber security
The exploits from the documents used in the spear phishing emails were created by other attackers and used against targets, including Tibetan activists and military and energy sectors in Asia.
The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced with their own code.
The attackers created a multi-functional attack platform that includes several extensions and malicious files designed to quickly adjust to different systems’ configurations and harvest intelligence from infected machines, researchers found.
The platform is unique to Rocra and has not been identified by Kaspersky Lab in previous cyber espionage campaigns.
The security firm said that, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams (Certs), it is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.