Red October or Rocra, an advanced, highly-flexible malware attack campaign, has targeted a number of entities across the world, including two in Oman, according to a senior official of the anti-virus major Kaspersky Lab.
The firm said in a report issued on January 14 that its experts have uncovered Rocra, which was created five years ago to steal information and geopolitical intelligence from computer systems, mobile phones and enterprise network equipment.
Speaking to Muscat Daily, Alexander Gostev, Chief Security Expert, Kaspersky Lab, said that there were 'two detections of this kind of malware in Oman'. Gostev declined to identify the targets but suggested that one of them was an embassy.
“The evidence that we have indicates that the countries that became victims of the attackers were mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia,” Gostev said.
“Based on the statistics from Kaspersky Security Network, there are two detections of this kind of malware in Oman. The victim organisations were identified using IP addresses and public WHOIS information or remote system names. In the case of Oman, we can speak about an embassy being under attack.
“Yet, once again, this is based on data from Kaspersky AV (anti virus) products. Apparently, the real number and list of victim names is much larger.”
Oman's Computer Emergency Readiness Team (OCERT), which has recently been chosen as the regional cyber security centre for 21 countries across the Arab region, said that it is 'studying the report and is in contact with the company that issued the report'.
“OCERT has published a threat notification, and alert in the OCERT portal and sent it to all constituents,” it said in a statement. “OCERT is addressing such issues through awareness programs. Concerned authorities mentioned in the report as targets have been notified and have been offered assistance with recommendations on actions and solutions.”
According to the Kaspersky Lab report, Rocra has infected hundreds of victims around the world in seven main categories: Government, diplomatic/embassies, research institutions, trade and commerce, nuclear/ energy research, oil and gas companies, and aerospace.
The attackers are yet to be identified, but the report stated, “There is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.”
The report added, “With Rocra, the attackers managed to stay in the game for over five years and evade detection of most anti-virus products while continuing to exfiltrate what must be hundreds of terabytes by now.”