Cyberespionage-style attacks detected against targets outside U.S.

A previously unknown group has been using malware to conduct cyberespionage-style attacks against selected targets in Russia, China, Sweden and Belgium, said security researchers with Symantac Corporation.

The group, called Strider, has been active since at least October 2011 but has maintained a low profile until now, according to a posting at Symantec's official blog on Monday. With an advanced piece of malware known as Remsec, it attacks "mainly organizations and individuals that would be of interest to a nation-state's intelligence services."

As a U.S. technology company based in Mountain View, northern California, providing antivirus, antispyware, antimalware and firewall services, Symantec said it had obtained a sample of the group's Remsec malware, namely Backdoor.Remsec, from a customer who submitted it following its detection by Symantec and Norton products' behavioral engine.

Containing a reference to Sauron, the title character and main antagonist in the Lord of the Rings, a high-fantasy novel written by English author J.R R. Tolkien, Remsec is designed to spy on targets by opening a back door on an infected computer, thus enabling itself to log keystrokes and steal files.

The findings by Symantec researchers were echoed by their colleagues at Kaspersky Lab, headquartered in Moscow, Russia, who followed up with an posting titled "ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms."

The Kaspersky researchers acknowledged that ProjectSauron, also known as Strider, is "an exceptional espionage platform" and said that they had found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking countries, and the targets are key entities that provide core state functions: government, scientific research centers, military, telecommunication providers and finance.

On Symantac's part, its researchers said Strider has been highly selective in its choice of targets and, to date, evidence of infections by the Remsec malware has been found in 36 computers across seven separate organizations, including a number of organizations and individuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium.

The malware has stealth features that help it to avoid detection, and much of its functionality is deployed over the network, residing in a computer's memory, rather than on disk, so as to hide from detection.

Refraining from pointing fingers at any government entities, Symantac said the Strider group are "technically competent attackers."

Meanwhile, the researchers revealed that Strider's attacks have tentative links with a previously uncovered group, Flamer, and its use of a specific set of modules is also known as a technique by Flamer.

Detected in 2012 as "the most sophisticated malware," Flamer was believed to have had initially infected about 1,000 machines, with victims including governmental organizations, educational institutions and private individuals. While 65 percent of the infections happened in Iran, Israel, the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt, a majority of the targets were within Iran.

At the time, some independent analysts, citing circumstantial evidence, expressed speculations that members of U.S. government institutions might have a part in the attacks by Flamer group.

In their latest findings, Symantec researchers said "Strider is capable of creating custom malware tools and has operated below the radar for at least five years. Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker." Endi