INFOSEC

Researchers Uncover Massive Spyware Operation

Feb 17, 2015 at 11:05 AM ET

A report released by Russian researchers this week reveals a worldwide spyware operation that has been secretly monitoring thousands of computers in more than 30 countries around the world. The malware, discovered by Kaspersky Labs, operates like a Trojan horse. Once a person sticks an infected USB thumb drive or CD into their computer, the virus immediately begins intercepting information from that computer’s hard drive.

The researchers stop short of accusing the NSA of the operation, but Reuters has confirmed with numerous sources that the U.S. intelligence agency is indeed behind it, which makes perfect sense when you see the countries targeted. The Russian Federation, Iran, Pakistan and Afghanistan topped the list for varieties of institutions hacked in countries with a high infection rate.

What’s remarkable about the operation is how it mixes high-tech surveillance software with low-tech spying. For instance, in one anecdote provided by the researchers, some scientists who had just attended a conference were infected with the virus after someone tampered with CDs delivered to their homes. The report notes:

Upon returning home, some of the participants received by mail a copy of the conference proceedings, together with a slideshow including various conference materials. The [compromised?] CD-ROM used “autorun.inf” to execute an installer that began by attempting to escalate privileges using two known EQUATION group exploits. Next, it attempted to run the group’s DOUBLEFANTASY implant and install it onto the victim’s machine. The exact method by which these CDs were interdicted is unknown. We do not believe the conference organizers did this on purpose. At the same time, the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, don’t end up on a CD by accident.