For the most part, the Red October campaign has gone undetected for more than five years. Some of the malware's modules have been detected from time to time by antivirus products, but no one has ever put the pieces together to uncover the full extent of the operation until now, Raiu said.
The Kaspersky researchers believe that the Red October campaign is more sophisticated than previously documented cyberespionage campaigns like Aurora or Night Dragon. Some of those attacks might have used zero-day exploits -- exploits for previously unknown and unpatched vulnerabilities -- for distribution, but this attack is much more complex in terms of lateral movement and data exfiltration, Raiu said.
The Red October attackers spend a couple of days gathering information about an infected system and its network before deciding which modules to use and how. The attacks are more personal and the level of customization is greater, Raiu said.
The operation's command-and-control infrastructure is also sophisticated. The Kaspersky researchers discovered more than 60 domain names used for command-and-control purposes that are hosted on servers in Russia, Germany and other countries. The whole infrastructure is actually a chain of servers that act as proxies to hide the main and yet-to-be-identified "mothership" server, they said.
Given the length of the operation, the Kaspersky researchers believe that hundreds of terabytes of sensitive data have probably been stolen until now.
Raiu declined to name any of the affected organizations, but said that the company is open to working with the national CERTs (computer emergency response teams) from countries where victims were identified and provide them with the IP (Internet protocol) addresses of the victims.