SECURITY RESEARCHERS at antivirus vendor Trend Micro have uncovered a large-scale cyber espionage operation that uses malware to steal information from hundreds of computers belonging to many governments, mostly in the former USSR.
"The countries most impacted by this attack are Russia, Kazakhstan and Vietnam, along with numerous other countries - mainly in the CIS (Commonwealth Independent States - or former Soviet Union)," the Trend Micro researchers noted.
The attack, dubbed 'Lurid', is of the APT variety - that's "advance persistent threat" in IT security terminology - and includes social engineering, vulnerability exploits and information stealing malware.
Like most APT attacks, Lurid starts with well-crafted rogue emails sent to people working for targeted organizations. In this case these are diplomatic missions, government institutions, government contractors, research centres, and so on.
The emails spread documents rigged with exploits for vulnerabilities in older versions of Adobe Reader, a piece of software whose update rate is usually very low in business environments.
Once an exploit is successful, a piece of malware known as the Lurid Downloader or 'Enfal' is deployed to steal information and monitor communications.
In total, this operation has managed to compromise over 1,460 computers from 61 different countries. The machines are infected with malware tagged with 300 unique identifiers, each only assigned to a particular campaign.
The command and control infrastructure includes 15 domain names hosted on 10 different IP addresses that the attackers use for sending commands to get directory listings and transfer files.
"Although our research didn't reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets," the Trend Micro researchers said.
Russia was by far the primary target of this operation, hosting over 1,000 of the infected computers. Kazakhstan was second with 325 and Ukraine third with 102.
APT is a term often overused by security vendor marketing departments. When McAfee released a report about a similar operation back in August other security experts called it hype. This might be the case now as well, but one thing is certain - the US, EU and their allies are not the only targets of cyber espionage attacks.