Attacks/Breaches
1/18/2013
02:03 PM
50%
50%

Operation Red October Attackers Wielded Spear Phishing

Advanced, malware-driven espionage network employed over 1,000 modules and tools customized for just hundreds of targets, finds Kaspersky analysis.

The Red October malware network is one of the most advanced online espionage operations that's ever been discovered. That's the conclusion of Moscow-based security firm Kaspersky Lab, which first discovered Operation Red October--"Rocra" for short--in October 2012.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," according to research published by the security firm. The attackers, who appear to speak Russian but to have also used some Chinese-made software, seem to have focused their efforts on stealing diplomatic and government information, as well as scientific research, from not just PCs and servers but also mobile devices.

The Red October attacks began in 2007, and remained active at least through Sunday, which was the day before Kaspersky Lab first publicly detailed its research into the espionage operation.

In a more detailed technical analysis published Thursday that stretches 140 pages, Kaspersky Lab provided additional information about the operators' attack techniques, including the malware family used in the attacks, which it's dubbed Sputnik, and which was used to infect just hundreds of systems. "According to our knowledge, never before in the history of [information security] has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration," said Kaspersky Lab.

[ Get the facts about Java zero-day vulnerabilities. Read Java Security Warnings: Cut Through The Confusion. ]

But studying an espionage malware operation such as Red October, which was designed to steal data from specific targets -- assigning people unique ID numbers and in some cases employing malware modules customized solely for that target -- is complicated by researchers not being able to see the data that was stolen or recover every attack module.

Accordingly, Kaspersky Lab researchers determined to play the victim. "To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," they said. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack."

All known Red October attacks have been launched using spear-phishing emails with attachments carrying "enticing names," said researchers. The attachments recovered to date have been malicious Excel and Word documents, although attackers also appear to have used the so-called Rhino exploit for a Java bug first found in 2011. Regardless of the attack, the goal is to infect a target system with backdoor and dropper software known as Sputnik.

To be clear, Kaspersky Lab said that Sputnik isn't as advanced as the Flame malware that it was the first to discover, and which was reportedly the product of a U.S. cyber-weapons program. Flame tapped world-class crypto to create a never-seen-before type of collision attack on Windows Update, which allowed attackers to instruct targeted Windows operating systems to install their malware. At the time, Kaspersky Lab researcher Alexander Gostev likened the capability to the "god mode" cheat in videogames that makes a user invulnerable and allows them to move about a game at will.

Still, the Red October operation is extensive, and attackers have designed or customized more than 1,000 modules and tools, which they could instruct any Sputnik-infection system to download. To help analyze all of those different attack modules, Kaspersky Lab has grouped them into nine categories: reconnaissance (to gather information about a targeted system immediately upon infection); password (for stealing passwords); email (to steal emails); USB drives (monitor and steal data); keyboard (log keystrokes); persistence (plant malicious plug-ins in applications such as Microsoft Office and Adobe Reader); spreading (scan for new targets on a local network); mobile (grab data from smartphones and other PC-connected devices); and exfiltration (transfer all collected data to command-and-control server).

Researchers have yet to recover samples of all modules that were used by attackers. For example, a USB infection module hasn't yet been recovered. "We suspect that this module is capable of infecting removable storage, running arbitrary modules from other groups and [saving] data back to the USB drives," they said. No doubt the hunt for more Red October and Sputnik clues to continue.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.