Attacks/Breaches

1/18/2013
02:03 PM
50%
50%

Operation Red October Attackers Wielded Spear Phishing

Advanced, malware-driven espionage network employed over 1,000 modules and tools customized for just hundreds of targets, finds Kaspersky analysis.

The Red October malware network is one of the most advanced online espionage operations that's ever been discovered. That's the conclusion of Moscow-based security firm Kaspersky Lab, which first discovered Operation Red October--"Rocra" for short--in October 2012.

"The primary focus of this campaign targets countries in Eastern Europe, former USSR republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America," according to research published by the security firm. The attackers, who appear to speak Russian but to have also used some Chinese-made software, seem to have focused their efforts on stealing diplomatic and government information, as well as scientific research, from not just PCs and servers but also mobile devices.

The Red October attacks began in 2007, and remained active at least through Sunday, which was the day before Kaspersky Lab first publicly detailed its research into the espionage operation.

In a more detailed technical analysis published Thursday that stretches 140 pages, Kaspersky Lab provided additional information about the operators' attack techniques, including the malware family used in the attacks, which it's dubbed Sputnik, and which was used to infect just hundreds of systems. "According to our knowledge, never before in the history of [information security] has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration," said Kaspersky Lab.

[ Get the facts about Java zero-day vulnerabilities. Read Java Security Warnings: Cut Through The Confusion. ]

But studying an espionage malware operation such as Red October, which was designed to steal data from specific targets -- assigning people unique ID numbers and in some cases employing malware modules customized solely for that target -- is complicated by researchers not being able to see the data that was stolen or recover every attack module.

Accordingly, Kaspersky Lab researchers determined to play the victim. "To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months," they said. "This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack."

All known Red October attacks have been launched using spear-phishing emails with attachments carrying "enticing names," said researchers. The attachments recovered to date have been malicious Excel and Word documents, although attackers also appear to have used the so-called Rhino exploit for a Java bug first found in 2011. Regardless of the attack, the goal is to infect a target system with backdoor and dropper software known as Sputnik.

To be clear, Kaspersky Lab said that Sputnik isn't as advanced as the Flame malware that it was the first to discover, and which was reportedly the product of a U.S. cyber-weapons program. Flame tapped world-class crypto to create a never-seen-before type of collision attack on Windows Update, which allowed attackers to instruct targeted Windows operating systems to install their malware. At the time, Kaspersky Lab researcher Alexander Gostev likened the capability to the "god mode" cheat in videogames that makes a user invulnerable and allows them to move about a game at will.

Still, the Red October operation is extensive, and attackers have designed or customized more than 1,000 modules and tools, which they could instruct any Sputnik-infection system to download. To help analyze all of those different attack modules, Kaspersky Lab has grouped them into nine categories: reconnaissance (to gather information about a targeted system immediately upon infection); password (for stealing passwords); email (to steal emails); USB drives (monitor and steal data); keyboard (log keystrokes); persistence (plant malicious plug-ins in applications such as Microsoft Office and Adobe Reader); spreading (scan for new targets on a local network); mobile (grab data from smartphones and other PC-connected devices); and exfiltration (transfer all collected data to command-and-control server).

Researchers have yet to recover samples of all modules that were used by attackers. For example, a USB infection module hasn't yet been recovered. "We suspect that this module is capable of infecting removable storage, running arbitrary modules from other groups and [saving] data back to the USB drives," they said. No doubt the hunt for more Red October and Sputnik clues to continue.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.