Skip navigation

Kurt Baumgartner

warning: Creating default object from empty value in /var/www/vhosts/ on line 33.

One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Kaspersky Lab

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

Read 11 remaining paragraphs | Comments

Your rating: None

They're calling it "Red October."

On Monday, Russia's Kaspersky Labs reported that they had identified what may be the most comprehensive, global cyber espionage hack in the history of the Internet.

From a CBS News:

Kaspersky's report says "Red October's" configuration rivals the Flame malware that made headlines last year, when it was discovered to have infected computers in Iran.

They discovered the campaign in October 2012 and, after a few months of research, found some truly troubling revelations. Targeted in several countries (listed comprehensively via map below) was proprietary or government classified information in eight sectors:

  1. Government
  2. Diplomatic / embassies
  3. Research institutions
  4. Trade and commerce
  5. Nuclear / energy research
  6. Oil and gas companies
  7. Aerospace
  8. Military

For legal and obvious reasons, Kaspersky doesn't disclose exactly what information or specifically what private, government or diplomatic entities have been breached.

"It's a professional, multi-year cyber-espionage campaign," Kurt Baumgartner, senior security researcher at Kaspersky Labs, told Five years, to be exact.

Even scarier: there's no evidence the hack is state-sponsored. The 'insurgent,' decentralized nature of the attack makes it even more difficult for a coalition of governments to use political sway to pressure possible state-level sources of the attacks.

The most Kaspersky can identify is that Chinese speakers designed the "exploit" (like a coded crowbar that pries past security to improve, expand, and/or modify function) and Russian speakers designed the malware (in this case, the program that locates and gleans relevant information, then shoots it to an off-site server).

In other words, no credible targets — and after years of espionage the hack is still very much active.

In short, the operation reeks of a growing cyber-warfare mercenary culture, and the Kaspersky report even quips that sensitive information, private or otherwise, is likely then "sold to the highest bidder."

“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence ... that [sic] information-gathering scope is quite wide,” Kaspersky's report states.

The hack targeted cell phones (Nokia, Windows, iPhone), enterprise networks, deleted files and even resurrected once-dead computer hard drives. The espionage ranged from stealing of files to logging every key stroke and taking periodical screengrabs. Sources include everything from diplomatic to infrastructure to military to commerce.

Finally, the information was then sent back through an opaque thicket of proxy servers, mostly located in Germany and Russia, making it impossible to know where it ended up and where "the mothership command and control center is."

"[There are] entire little villages dedicated to malware in Russia, villages in China, very sophisticated very organized, very well-funded," Steve Sacks of Fireeye, a cyber security firm, told Business Insider. "It'll be 50 guys in a room, changing the attack [as it happens]."

attached image

SEE ALSO: Cloud Computing Has Officially Brought The Global Cyber War To The US Doorstep >

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

Your rating: None


Kaspersky Lab

Researchers have uncovered an ongoing, large-scale computer espionage network that's targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.

Operation Red October, as researchers from antivirus provider Kaspersky Lab have dubbed the highly coordinated campaign, has been active since 2007, raising the possibility it has already siphoned up hundreds of terabytes of sensitive information. It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran.

"This is a pretty glaring example of a multiyear cyber espionage campaign," Kaspersky Lab expert Kurt Baumgartner told Ars. "We haven't seen these sorts of modules being distributed, so the customized approach to attacking individual victims is something we haven't seen before at this level."

Read 13 remaining paragraphs | Comments

Your rating: None