Russian cybersecurity firm Kaspersky Lab said unknown hackers have been stealing EU and NATO-encrypted files, the EUobserver website reported on Monday.
The operation - dubbed "Red October" - claimed victims in embassies, government and military institutions in Israel,
and the US, among others.
According to the BBC, Kaspersky Lab said digital clues suggested the perpetrators were Russian-speaking, but that the spy campaign did not appear to be the work of a nation state. The malware also targeted nuclear
research centers and oil and gas institutes.
In a statement, Kaspersky Labs said: "The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.
"The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment."
'Very patient multi-year effort.' Kaspersky Lab (Photo: MCT)
In an interview with the New York Times, Kurt Baumgartner, a senior security researcher at Kaspersky Lab, said that among the "several hundreds" of victim organizations were "embassies, consulates and trade centers." The vast majority of infected machines were based in Russia - where Kaspersky identified 38 infected machines - followed by Kazakhstan, where 16 infected machines were identified. Six infected machines were found in the United States.
Baumgartner described the campaign as a "sophisticated and very patient multi-year effort" to extract geopolitical and confidential intelligence from computers, network devices like routers and switches, and smartphones, the New York Times said.
Professor Alan Woodward, from the University of Surrey told the BBC the attack "appears to be trying to suck up all the usual things - word documents, PDFs, all the things you'd expect."
Kaspersky explained to the New York Times that what set the campaign apart was the fact that the attackers engineered their malware to steal files that have been encrypted with a classified software, called Acid Cryptofiler, that is used by several countries in the European Union
and NATO to encrypt classified information.
Kaspersky Lab said an investigation launched in October following a tip-off from an anonymous "partner" revealed that the cyber espionage campaign began in 2007. During the campaign the hackers pulled material, such as files, as well as keystroke history and Internet browsing history, from desktop and laptop computers, servers and USB sticks.
They also stole contact lists, call history and SMS-es from iPhone, Nokia and Windows Mobile smartphones.
Belgium, the home of the EU and Nato headquarters, saw 15 separate breaches - the fourth highest number of any country on the list, EUobserver reported.
Kaspersky Lab's analysis of the malicious code indicated that the hackers speak Chinese and Russian.
"Currently, there is no evidence linking this with a nation-state-sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere," it noted," the company said.
In October Kaspersky Lab discovered a new computer virus – "Miniflame" - which infiltrated computers in the Middle East,
mainly in Iran and Lebanon. Kaspersky also discovered the "Flame" virus, which mostly targeted computers in Iran and Sudan,
and the "Gauss" malware, which targeted accounts at several banks in Lebanon.