Sophisticated cyberespionage operation focused on high-profile targets

After Stuxnet and Flame, two computer programs believed to have made cyberespionage history, another super-sophisticated malware has been uncovered, this time targeting classified computer systems of diplomatic missions, energy and nuclear groups.

The existence of the malware was publicly announced by Russian-based multi-national computer security firm Kaspersky Lab, which said its researchers had identified it as part of a cyberespionage operation called Rocra, short for Red October in Russian.

The company’s report, published on Monday on Securelist, a computer security portal run by Kaspersky Lab, said that the malware has been active for at least six years.

During that time, it spread slowly but steadily through infected emails sent to carefully targeted and vetted computer users. The purpose of the virus, which Kaspersky Lab said rivals Flame in complexity, is to extract “geopolitical data which can be used by nation states”.

Most of the nearly 300 computers that have so far been found to have been infected belong to government installations, diplomatic missions, research organizations, trade groups, as well as nuclear, energy and aerospace agencies and companies.

Interestingly, the majority of these targets appear to be located in Eastern Europe and former Soviet republics in Central Asia. On infected computers located in North America and Western Europe, the Rocra virus specifically targeted Acid Cryptofiler, an encryption program originally developed by the French military, which enjoys widespread use by European Union institutions, as well by executive organs belonging to the North Atlantic Treaty Organization.

It is important to note that Kaspersky Lab said it found no evidence to suggest that a government is behind Rocra. However, the company’s report states that the choice of targets, coupled with some forensic evidence embedded in the malware’s code, point to the strong possibility that Rocra’s designers “have Russian-speaking origins”.

It is also worth pointing out that the number of infected computers appears small, especially when one considers the resources in time and effort that Rocra’s design must have required. This leads to the conclusion that the virus was selectively directed at few carefully selected computers belonging to high-profile targets.