Have Chinese online spies and Russian cybercriminals formed an unholy alliance?
That scary scenario might be one explanation for a remarkably widespread spyware campaign dubbed "Red October." It was revealed today (Jan. 14) by Moscow's Kaspersky Lab, which said the campaign had been in operation since at least 2007.
"The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems and data from personal mobile devices and network equipment," Kaspersky Lab said in a statement.
The pattern of infection and the types of organizations targeted follow those of Chinese state-sponsored espionage campaigns, and the exploits used were well-known and had been developed in China.
But the malware itself had not been seen before and appeared to have been created by speakers of Russian, Kaspersky Lab said in detailed blog postings.
Red October primarily targeted Russia and other former Soviet republics, but there were also many infected machines in India, Afghanistan and Belgium, where both the European Union and NATO are headquartered.
Smaller numbers of infections were found in the United States, Iran, Switzerland and Italy, among other countries. There were no infections seen in China or North Korea.
Russian cybercriminals often avoid attacking computers in Russian-speaking countries and sometimes craft their malware to make sure computers using Cyrillic character sets are left untouched.
Kaspersky's blog postings said Red October's duration, network complexity and spread were comparable to Flame, an extremely sophisticated piece of malware discovered last year that targeted Iran and other countries of interest to the United States.
"The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world," the Kaspersky SecureList blog said.
"To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true mothership command-and-control server."
Targeted computers appeared to be infected via spear-phishing emails sent to specific individuals, another hallmark of Chinese state-sponsored espionage. But Kaspersky noted that the malware involved was unknown until very recently.
Once a computer was infected, the Red October spyware would copy and secretly export to remote servers all files in dozens of formats, and then lie in wait until a smartphone or USB drive was connected to the machine.
USB drives would have their files copied and exported; iPhones and Nokia phones would have address books, browser histories, text messages, call histories and calendars copied. Windows phones would be infected with a mobile version of the Red October malware.
Surprisingly, Kaspersky made no mention of the malware attacking Android phones. It's possible the campaign's software was developed before Android phones became widespread in 2010.
Kaspersky said that there was no evidence linking this malware campaign to a specific nation-state, and added that the huge volume of information collected over the past five years, possibly amounting to terabytes of data, could easily be "sold to the highest bidder."