Attacks/Breaches

Operation Red October Attackers Wielded Spear Phishing

Advanced, malware-driven espionage network employed over 1,000 modules and tools customized for just hundreds of targets, finds Kaspersky analysis.

The Red October malware network is one of the most advanced online espionage operations that's ever been discovered. That's the conclusion of Moscow-based security firm Kaspersky Lab, which first discovered Operation Red October--"Rocra" for short--in October 2012.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," according to research published by the security firm. The attackers, who appear to speak Russian but to have also used some Chinese-made software, seem to have focused their efforts on stealing diplomatic and government information, as well as scientific research, from not just PCs and servers but also mobile devices.

The Red October attacks began in 2007, and remained active at least through Sunday, which was the day before Kaspersky Lab first publicly detailed its research into the espionage operation.

In a more detailed technical analysis published Thursday that stretches 140 pages, Kaspersky Lab provided additional information about the operators' attack techniques, including the malware family used in the attacks, which it's dubbed Sputnik, and which was used to infect just hundreds of systems. "According to our knowledge, never before in the history of [information security] has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration," said Kaspersky Lab.

[ Get the facts about Java zero-day vulnerabilities. Read Java Security Warnings: Cut Through The Confusion. ]

But studying an espionage malware operation such as Red October, which was designed to steal data from specific targets -- assigning people unique ID numbers and in some cases employing malware modules customized solely for that target -- is complicated by researchers not being able to see the data that was stolen or recover every attack module.

Accordingly, Kaspersky Lab researchers determined to play the victim. "To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," they said. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack."

All known Red October attacks have been launched using spear-phishing emails with attachments carrying "enticing names," said researchers. The attachments recovered to date have been malicious Excel and Word documents, although attackers also appear to have used the so-called Rhino exploit for a Java bug first found in 2011. Regardless of the attack, the goal is to infect a target system with backdoor and dropper software known as Sputnik.

To be clear, Kaspersky Lab said that Sputnik isn't as advanced as the Flame malware that it was the first to discover, and which was reportedly the product of a U.S. cyber-weapons program. Flame tapped world-class crypto to create a never-seen-before type of collision attack on Windows Update, which allowed attackers to instruct targeted Windows operating systems to install their malware. At the time, Kaspersky Lab researcher Alexander Gostev likened the capability to the "god mode" cheat in videogames that makes a user invulnerable and allows them to move about a game at will.

Still, the Red October operation is extensive, and attackers have designed or customized more than 1,000 modules and tools, which they could instruct any Sputnik-infection system to download. To help analyze all of those different attack modules, Kaspersky Lab has grouped them into nine categories: reconnaissance (to gather information about a targeted system immediately upon infection); password (for stealing passwords); email (to steal emails); USB drives (monitor and steal data); keyboard (log keystrokes); persistence (plant malicious plug-ins in applications such as Microsoft Office and Adobe Reader); spreading (scan for new targets on a local network); mobile (grab data from smartphones and other PC-connected devices); and exfiltration (transfer all collected data to command-and-control server).

Researchers have yet to recover samples of all modules that were used by attackers. For example, a USB infection module hasn't yet been recovered. "We suspect that this module is capable of infecting removable storage, running arbitrary modules from other groups and [saving] data back to the USB drives," they said. No doubt the hunt for more Red October and Sputnik clues to continue.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6157
PUBLISHED: 2019-04-22
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.
CVE-2015-1343
PUBLISHED: 2019-04-22
All versions of unity-scope-gdrive logs search terms to syslog.
CVE-2016-1573
PUBLISHED: 2019-04-22
Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Dash/CardCreator.js will execute any code found in place of a fallback image supplied by a scope.
CVE-2016-1579
PUBLISHED: 2019-04-22
UDM provides support for running commands after a download is completed, this is currently made use of for click package installation. This functionality was not restricted to unconfined applications. Before UDM version 1.2+16.04.20160408-0ubuntu1 any confined application could make use of the UDM C...
CVE-2016-1584
PUBLISHED: 2019-04-22
In all versions of Unity8 a running but not active application on a large-screen device could talk with Maliit and consume keyboard input.