Tuesday, January 15, 2013

Kaspersky Lab Uncovers Cyber-Espionage Plot By Russian and Chinese Hackers

Click to Enlarge
Susanne Posel, Contributor
Activist Post

Kaspersky Lab has uncovered Operation Red October, (Rocra) a 5-year scheme by the Chinese and Russians to steal diplomatic, industrial and scientific data from Eastern Europe, North America and Asian organizations. Beginning in 2007, intelligence-gathering operations were conducted in the form of attacks by cyber criminals toward Western nations. The thought is that this is in retribution on behalf of Iran for the damage caused to their country.

Encrypted files and decryption keys used by the European Union and NATO have been compromised. The countries under attack are:

• The Russian Federation
• Kazakhstan
• Azerbajian
• Belgium
• India
• Afghanistan
• Armenia
• Ukraine
• Turkmenistan

Kaspersky said: “The information we have collected so far does not appear to point toward any specific location; however, two important factors stand out: The exploits appear to have been created by Chinese hackers, (and) the Rocra malware modules have been created by Russian-speaking operatives.”

Rocra appears to have been controlled by 60 command-and-control servers that were held in Germany and Russia. It is suspected that there is another “mother ship” server based in an unknown location.


Some of the attacks appear to be tailor-made for the victim with an estimated 1,000 different modules that preformed specific attacks. Kaspersky explained:
For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside (and) later, there is a high degree of interaction between the attackers and the victim. Compared to Flame and Gauss, which are highly automated cyber-espionage campaigns, Rocra is a lot more ‘personal’ and finely tuned for the victims.
The software is broken down to continually run within the system until triggered to activate. Examples are stealing information from a connection made by a mobile phone or syphoning mail servers and downloading emails.

Although Kaspersky Lab admits that these attacks have not definitively been connected to China or Russia, it is assumed that the data collected would yield a high price on the black market.

Kaspersky stated:
The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere.
Rocra is able to map out the internal layout of a network and information routes taken by computer software to take files with the use of thumb drives and smartphones.

In 2012, the US House Intelligence Committee (USHIC) warned American corporations in a new report against conducting business with two Chinese firms because of national security threats. Both Huawei Technologies and ZTE, two of the world’s largest telecommunications corporations and suppliers of cellular phones and technology are being highlighted by the US government and blamed for cyber-attacks. It is also claimed by the USHIC that they are involved in digital espionage.

According to the report, “China has the means, opportunity, and motive to use telecommunications companies for malicious purposes. . . . The investigation concludes that the risks associated with Huawei’s and ZTE’s provision of equipment to U.S. critical infrastructure could undermine core U.S. national-security interests.”

It is claimed that former industry insiders provided intelligence to the US concerning Huawei’s violations of US laws such as immigration, bribery and corruption as well as an alleged “pattern and practice” using pirated software in its US satellites.

The report stated that the Chinese corporations were employing intelligence sources as well as private sector companies and other unnamed entities that could and presumably did steal trade secrets, sensitive information and prehistory data, while simultaneously shipping infected hardware and software to the US with the intent to cause disruptions in national security during war time.

Around the same time as the release of the report, an anonymous White House official said there was an attempt to hack into the executive branch’s computer system through an unclassified network. No data was removed, proving that this was not an actual hack. The nameless official said that the experiment was “spear-phishing”.

The supposition is that China is behind these attacks because of a phishing expedition against Gmail accounts wherein several senior US government officials and military personnel were affected.

According to other mainstream media outlets:
hackers linked to China’s government broke into one of the U.S. government’s most sensitive computer networks, breaching a system used by the White House Military Office for nuclear commands, according to defense and intelligence officials familiar with the incident.
The official questioned explained that a connection to Bejing in the case of the cyber attack “highlights a failure of the Obama administration to press China on its persistent cyber attacks.”

In January, analysts at the Council on Foreign Relations (CFR) have confirmed that hackers traced to China attacked their system. The “drive-by” hacking utilized a pirated computer. To compound the problem, the analysts said that the hackers removed their malware and traces of their presence from CFR computer systems.


Recognizing China as becoming a formidable replacement to the US as the world’s superpower, the CFR has outlined specific responses to this crisis of supremacy. Citing Chinese Internet policy, their disdain for freedom of speech in social media, and influence in global cyberspace, the CFR appreciates that this rising “foe” must be confronted indirectly with propaganda to distract from the obvious.

This attack marked a new level by international hackers who aim to steal information from government websites and computers. The “drive-by” tactic covertly plants malware, then the website itself is used to attack visitors to the site. Visitors can be infected as hackers will them attempt to hack into other computers as visitors are passing by. The hackers use the main site as a “watering hole” that attracts users to it for the hackers to steal information from their computers.

Susanne Posel is the Chief Editor of Occupy Corporatism. Our alternative news site is dedicated to reporting the news as it actually happens; not as it is spun by the corporately funded mainstream media. You can find us on our Facebook page.


BE THE CHANGE! PLEASE SHARE THIS USING THE TOOLS BELOW


BE THE CHANGE! PLEASE SHARE THIS USING THE TOOLS BELOW

5 comments:

stevor said...

Seems pretty convenient. On principle, I don't trust a Russian anti-virus program. I have a brother who swears by it and told me how it found things with viruses that no other program found. I had more inclination, I'd do a search with it, write down what it found, restore the computer to before the program was installed, and see if IT put the files there in the first place.

Anonymous said...

I wouldn't believe a word about Kaspersky. They used to be a reputable company with good products but they sold out in 2009/2010. By who? Not sure but I can tell you I would never use their products again. I had many problems with hidden viruses. Kaspersky sold out. My opinion for what's it worth.

You can use Avast FREE and have virtually zero problems.

Anonymous said...

Problem, Reaction, Solution.

Kasper, who wants us all to have internet drivers licenses before says.....

Here's the new problem,
React, and Demand a solution,
Enjoy the spymaster solutions, sopa, pipa, acta, nnda, fisa, and facebook.

As opposed to blocking CFR.ORG (whilst their incompetent/or complicit IT staff clean their system)

All this cause someone walked in with a USB stick. That's right crack down on the whole web.

We might as well go back to the CB radio and "talking around" things.

STOP GETTING NEWS FROM THREATPOST!! Use Heise instead!

Anonymous said...

Wow, found this out via a different source today. Sent to my IT son for evaluation. http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation#1

What is left out in the article is: 1) "It should be noted that the "last modified" field of the pages points to the same date: Tue, 21 Feb 2012 09:00:41 GMT. This is important and probably indicates that the three known mini-motherships are probably just proxies themselves, pointing to the same top level "mothership" server.

Who is the mothership server: China, Japan or the U.S.? They don't/can't say.

and 2)that Some of the victim organizations were identified using IP addresses and public WHOIS information or remote system names. Most «interesting» out of those are: Embassies in Algeria, Afghanistan, Armenia, Austria, Azerbaijan, Belarus, Belgium, Bosnia & Herzegovina, Botswana, Cyprus, France, Georgia, Germany, Greece, Hungary, Indai, Indonesia, Iran, Ireland, Italy, Japan, Jordan, Kenya, Kuwait, Latvia, Lebanon, Lithuania, Mauritania, Moldova, Morocco, Mozambique, Oman, Pakistan, Portugal, Qatar, Russia, Saudi Arabia, South Africa, Spain, Switzerland, Tanzania, Turkey, Uganda, United Arab Emirates and Uzbekistan.

Who would be interested in Embassies? Certainly not u.s..

canobs said...

___YOUR OWN CONTRADICTORY(with the title)WORDS___Although Karpersky lab admits that these attacks have not been definitively connected to China and Russia_____The countries under attack (by cyber criminals) are The Russian Federation...____So, where is the truth, and what are you exactly reporting or shure about, gossips read on facebook maybe.

Post a Comment