Attacks/Breaches
1/18/2013
02:03 PM
Connect Directly
RSS
E-Mail
50%
50%

Operation Red October Attackers Wielded Spear Phishing

Advanced, malware-driven espionage network employed over 1,000 modules and tools customized for just hundreds of targets, finds Kaspersky analysis.

The Red October malware network is one of the most advanced online espionage operations that's ever been discovered. That's the conclusion of Moscow-based security firm Kaspersky Lab, which first discovered Operation Red October--"Rocra" for short--in October 2012.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," according to research published by the security firm. The attackers, who appear to speak Russian but to have also used some Chinese-made software, seem to have focused their efforts on stealing diplomatic and government information, as well as scientific research, from not just PCs and servers but also mobile devices.

The Red October attacks began in 2007, and remained active at least through Sunday, which was the day before Kaspersky Lab first publicly detailed its research into the espionage operation.

In a more detailed technical analysis published Thursday that stretches 140 pages, Kaspersky Lab provided additional information about the operators' attack techniques, including the malware family used in the attacks, which it's dubbed Sputnik, and which was used to infect just hundreds of systems. "According to our knowledge, never before in the history of [information security] has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration," said Kaspersky Lab.

[ Get the facts about Java zero-day vulnerabilities. Read Java Security Warnings: Cut Through The Confusion. ]

But studying an espionage malware operation such as Red October, which was designed to steal data from specific targets -- assigning people unique ID numbers and in some cases employing malware modules customized solely for that target -- is complicated by researchers not being able to see the data that was stolen or recover every attack module.

Accordingly, Kaspersky Lab researchers determined to play the victim. "To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," they said. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack."

All known Red October attacks have been launched using spear-phishing emails with attachments carrying "enticing names," said researchers. The attachments recovered to date have been malicious Excel and Word documents, although attackers also appear to have used the so-called Rhino exploit for a Java bug first found in 2011. Regardless of the attack, the goal is to infect a target system with backdoor and dropper software known as Sputnik.

To be clear, Kaspersky Lab said that Sputnik isn't as advanced as the Flame malware that it was the first to discover, and which was reportedly the product of a U.S. cyber-weapons program. Flame tapped world-class crypto to create a never-seen-before type of collision attack on Windows Update, which allowed attackers to instruct targeted Windows operating systems to install their malware. At the time, Kaspersky Lab researcher Alexander Gostev likened the capability to the "god mode" cheat in videogames that makes a user invulnerable and allows them to move about a game at will.

Still, the Red October operation is extensive, and attackers have designed or customized more than 1,000 modules and tools, which they could instruct any Sputnik-infection system to download. To help analyze all of those different attack modules, Kaspersky Lab has grouped them into nine categories: reconnaissance (to gather information about a targeted system immediately upon infection); password (for stealing passwords); email (to steal emails); USB drives (monitor and steal data); keyboard (log keystrokes); persistence (plant malicious plug-ins in applications such as Microsoft Office and Adobe Reader); spreading (scan for new targets on a local network); mobile (grab data from smartphones and other PC-connected devices); and exfiltration (transfer all collected data to command-and-control server).

Researchers have yet to recover samples of all modules that were used by attackers. For example, a USB infection module hasn't yet been recovered. "We suspect that this module is capable of infecting removable storage, running arbitrary modules from other groups and [saving] data back to the USB drives," they said. No doubt the hunt for more Red October and Sputnik clues to continue.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.