Shocker! It looks like the Russians might be cyber spying on the countries that make up their former empire. IT security firm Kaspersky Lab just announced that it has found a new cyber espionage tool called Rocra.
The malware, active since 2007, targets mostly former USSR states and Eastern European countries, along with a limited number of diplomatic and government installations in Western Europe , North America and other places. It is designed to collect "geopolitical intelligence, credentials to access classified computer systems," and data from smartphones, routers, and even deleted info from removable disk drives as part of an espionage operation dubbed Red October (seriously), according to Kaspersky Lab's announcement.
The lab believes the "attackers have Russian-speaking origins" based on forensic evidence found in the malware and the registration data for Rocra's command-and-control servers. (Hey, it could be Western intelligence posing as Russian speaking spies, who knows.)
More specifically, it looks like Rocra is designed to steal access codes to classified networks at diplomatic missions, research installations, "energy and nuclear groups," and "trade and aerospace targets" (see: defense firms), according to Kaspersky. The bug is installed via targeted email attacks (spear phishing) that convince recipients to open up a Microsoft Office file that installs malware on their machines via a security flaw in Office.
Once on a victim's computer, Rocra looks to steal passwords used to access sensitive information and even steals files from Acid Cryptofiler, cryptography software used by "NATO, the European Union, European Parliament and European Commission since 2011 to protect sensitive information," states the announcement.
"The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems," reads the announcement. "For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems."
The best part: once Rocra is found by a victim and removed, its masters can regain access to the infected computer via a secret "Resurrection module" that has been hidden by Rocra in the machine's copy of Office or Adobe Reader.
The module provides "a foolproof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched," states the announcement. "Once the [command and control servers] are operational again the attackers send a specialized document file (a PDF or Office document) to victims machines via email which will activate the malware again."
The good news is that Kaspersky Lab reports that it found only about 250 Rocra infections between November 2012 and now. This fairly limited number of infections echoes other advanced spy tools like miniFlame that we've seen recently. miniFlame is a very advanced piece of malware designed to steal loads of information from its victims found on a few dozen specifically targeted computers in the Middle East
Just another day in the world of cyber spying.
Click here to read more on Red October.