Attacks/Breaches
1/18/2013
02:03 PM
Connect Directly
RSS
E-Mail
50%
50%

Operation Red October Attackers Wielded Spear Phishing

Advanced, malware-driven espionage network employed over 1,000 modules and tools customized for just hundreds of targets, finds Kaspersky analysis.

The Red October malware network is one of the most advanced online espionage operations that's ever been discovered. That's the conclusion of Moscow-based security firm Kaspersky Lab, which first discovered Operation Red October--"Rocra" for short--in October 2012.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," according to research published by the security firm. The attackers, who appear to speak Russian but to have also used some Chinese-made software, seem to have focused their efforts on stealing diplomatic and government information, as well as scientific research, from not just PCs and servers but also mobile devices.

The Red October attacks began in 2007, and remained active at least through Sunday, which was the day before Kaspersky Lab first publicly detailed its research into the espionage operation.

In a more detailed technical analysis published Thursday that stretches 140 pages, Kaspersky Lab provided additional information about the operators' attack techniques, including the malware family used in the attacks, which it's dubbed Sputnik, and which was used to infect just hundreds of systems. "According to our knowledge, never before in the history of [information security] has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration," said Kaspersky Lab.

[ Get the facts about Java zero-day vulnerabilities. Read Java Security Warnings: Cut Through The Confusion. ]

But studying an espionage malware operation such as Red October, which was designed to steal data from specific targets -- assigning people unique ID numbers and in some cases employing malware modules customized solely for that target -- is complicated by researchers not being able to see the data that was stolen or recover every attack module.

Accordingly, Kaspersky Lab researchers determined to play the victim. "To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," they said. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack."

All known Red October attacks have been launched using spear-phishing emails with attachments carrying "enticing names," said researchers. The attachments recovered to date have been malicious Excel and Word documents, although attackers also appear to have used the so-called Rhino exploit for a Java bug first found in 2011. Regardless of the attack, the goal is to infect a target system with backdoor and dropper software known as Sputnik.

To be clear, Kaspersky Lab said that Sputnik isn't as advanced as the Flame malware that it was the first to discover, and which was reportedly the product of a U.S. cyber-weapons program. Flame tapped world-class crypto to create a never-seen-before type of collision attack on Windows Update, which allowed attackers to instruct targeted Windows operating systems to install their malware. At the time, Kaspersky Lab researcher Alexander Gostev likened the capability to the "god mode" cheat in videogames that makes a user invulnerable and allows them to move about a game at will.

Still, the Red October operation is extensive, and attackers have designed or customized more than 1,000 modules and tools, which they could instruct any Sputnik-infection system to download. To help analyze all of those different attack modules, Kaspersky Lab has grouped them into nine categories: reconnaissance (to gather information about a targeted system immediately upon infection); password (for stealing passwords); email (to steal emails); USB drives (monitor and steal data); keyboard (log keystrokes); persistence (plant malicious plug-ins in applications such as Microsoft Office and Adobe Reader); spreading (scan for new targets on a local network); mobile (grab data from smartphones and other PC-connected devices); and exfiltration (transfer all collected data to command-and-control server).

Researchers have yet to recover samples of all modules that were used by attackers. For example, a USB infection module hasn't yet been recovered. "We suspect that this module is capable of infecting removable storage, running arbitrary modules from other groups and [saving] data back to the USB drives," they said. No doubt the hunt for more Red October and Sputnik clues to continue.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1556
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

CVE-2014-2008
Published: 2014-09-12
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.

CVE-2014-2009
Published: 2014-09-12
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

CVE-2014-4735
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.

CVE-2014-5259
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant