Kaspersky identifies 'Red October' cyberespionage network
It is not know whether the operation was state-sponsored or a criminal group gathering information to sell to the highest bidder
By Antone Gonsalves
January 14, 2013 — CSO — Since 2007, a cyberespionage network has been stealing confidential data from private industry and government and research organizations in Eastern Europe, former Soviet republics and Central Asian countries, a security firm reported Monday.
The network, called Red October, has also stolen sensitive information from organizations in Western Europe and the U.S., but the focus was in the other regions, Kaspersky Lab said.
Most victims were diplomatic and government organizations, scientific research institutions, nuclear and energy groups, private trade groups and companies in the aerospace industries.
Kaspersky said it did not know whether the operation was state-sponsored or a criminal group gathering information to sell to the highest bidder. "The most probable scenario is for the end-customer to be a nation-state," Roel Schouwenberg, a senior researcher at Kaspersky Lab, told CSO Online.
Kaspersky discovered the network last year during an investigation stemming from a series of attacks against the computer networks of diplomatic service agencies.
The attackers, believed to have "Russian-speaking origins," used malware with a unique modular architecture comprising of malicious extensions, information-stealing code and backdoor Trojans. The malware is called Rocra, which is short for Red October.
The cyberespionage network compromised systems of hundreds of victims across 69 companies, Schouwenberg said. "It's likely there are more victims out there that we're currently not aware of."
Like cascading dominoes, computer systems fell as information stolen from one was used to penetrate another. For example, stolen credentials were compiled in a list and then used to guess passwords or phrases to gain access to additional systems.
The attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority in Germany and Russia. The majority of servers were used as proxies, in order to hide the command-and-control server at the core of the operation.
The stolen data had a wide variety of extensions. One extension not seen as a target before was "acid," which appears to be documents encrypted with classified software called "Acid Cryptofiler." The European Union and the North Atlantic Treaty Organization use the software.
"Previously targeted attacks that have been analyzed and reported did not focus on stealing files that were encrypted with Acid Cryptofiler," Schouwenberg said.
The attackers used spear-phishing emails to lure victims into opening attachments that exploited vulnerabilities in Microsoft Office and Excel applications.
The exploit code had been used before in cyberattacks on Tibetan activists and military and energy-related targets in Asia, Kaspersky said. The embedded executable was unique to Rocra.
Among the unusual attributes of the Rocra malware was a "resurrection" module embedded as a plug-in in Adobe Reader and Microsoft Office applications. The plug-in made it possible for attackers to regain control of a system after the main body of the malware was discovered and removed.
In addition, the malware was capable of stealing data from mobile devices, as well as PCs. Smartphone targets included the iPhone, Nokia devices and phones running Windows Mobile.
Kaspersky conducted the investigation in collaboration with international law enforcement agencies and the Computer Emergency Response Team in Romania and Belarus.
According to the latest report from the U.S. Defense Security Service, cyber-espionage technology is more sophisticated that ever and its use against U.S. targets is growing, During fiscal years 2010-11, reports of attempts to steal sensitive or classified information and technology rose 75%.
New types of high-tech, military-grade malicious code that has made headlines over the last couple of years have included Stuxnet, Duqu and Flame. Stuxnet is believed to have damaged Iranian nuclear facilities in 2010. The U.S. and Israeli governments created the malware, The New York Times has reported.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.