The security firm said the attackers have been active for at least five years. Red October, which has been active since at least 2007, appears to collect files encrypted with software used by several entities from the European Union to NATO, it added. Information harvested from infected networks was reused in later attacks. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.
Beside traditional attack targets (workstations), the system is also capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.
Kaspersky Lab said "there is strong technical evidence to indicate the attackers have Russian-speaking origins."
Kaspersky Lab says that in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures.