12:51 PM

Red October Espionage Network Rivals Flame

Newly discovered espionage malware infrastructure largely targets organizations in Eastern Europe and Asia.

Security researchers have uncovered an espionage malware network that's been operating undetected for at least five years and that has likely stolen quantities of data that stretch into the terabytes.

"The campaign, identified as 'Rocra' -- short for 'Red October' -- is currently still active, with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware," read research published by Kaspersky Lab.

Operation Red October involves a series of highly targeted attacks. "All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing, and every single module is specifically compiled for the victim with a unique victim ID inside," said Kaspersky Lab. In addition, it said attacks are also customized based on the target's native language, the specific software installed on their system, and the types of documents they prefer to use.

[ Did recent attacks on U.S. banks really have ties to Iran? Read more at Bank Attacker Iran Ties Questioned By Security Pros. ]

Kaspersky Lab said it first learned of the attacks in October 2012, after being supplied -- by a third party that wishes to remain anonymous -- with samples of spear-phishing emails and malware modules being used by attackers. Interestingly, the spear-phishing attack emails appear to have been recycled from an attack campaign that targeted Tibetan activists, as well as military organizations and energy companies in Asia. Attackers, however, substituted their own malicious code.

Working with US-CERT as well as the Romanian CERT and the Belarusian CERT, Kaspersky Lab said it began monitoring the malware used by attackers on Nov. 2, 2012. By Jan. 10, 2013, it had seen 250 different IP addresses registering more than 55,000 connections to a sinkhole it created to study the attacks.

The greatest number of Rocra-infected PCs (35) appear to be in the Russian Federation, followed by Kazakhstan (21), Azerbaijan (15), Belgium (15) and India (14). "The infections we've identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg," read the report.

The malware being used by attackers, which is still active, has primarily targeted organizations belonging to one of the following eight categories: government, diplomatic (including embassies), research institutions, trade and commerce, nuclear or energy research, oil and gas, aerospace, and military.

Once the malware infects a PC, it serves as a launch pad for further attack code, which typically gets downloaded once, executed and then deleted. Other modules, however, such as malicious code that waits for a smartphone to be connected to a PC and then steals data from the device, remain indefinitely active. "During our investigation, we've uncovered over 1,000 modules belonging to 30 different module categories," said Kaspersky Lab. "These have been created between 2007 with the most recent being compiled on 8th Jan 2013."

Various modules offer the ability to retrieve Windows and Outlook account hashes, steal information stored on locally connected USB devices or smartphones -- iPhone, Android, Nokia and Windows Mobile -- as well as record keystrokes and webcam images, scan for open ports, grab and upload interesting files and more.

A network of command-and-control (C&C) servers is interfacing with the infected PCs to retrieve stolen data. "We uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany," reported Kaspersky Lab. But again, it's unclear who's controlling the C&C servers, or where they're located. "The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -- mothership -- command and control server," the report read.

Some of the documents stolen by attackers have filenames that end with the "acid" extension, such as "acidcsa" and "acidsca." According to Kaspersky Lab, the 'acid*' extensions appear to refer to the classified software 'Acid Cryptofiler,' which is used by several entities such as the European Union and/or NATO.

Who built Rocra? According to Kaspersky Lab, the exploits appear to have been created by Chinese hackers, although the malware modules were apparently written by Russian-language speakers. Indeed, the report from Kaspersky Lab, which is based in Moscow and was founded by Russian security expert Eugene Kaspersky, also reported finding typos and misspellings in the malware code that appear to be Russian-language slang terms, including the word "progra," which is a transliteration of Russian software engineer slang for an application. The word "zakladka" also appears in the code, which in Russian can refer to a "bookmark" but is also a slang term for "undeclared functionality" in hardware and software. According to the researchers, however, it may also mean a microphone embedded in a brick of the embassy building.

Despite the Chinese and Russian ties, however, currently there is no evidence linking this with a nation-state sponsored attack, according to the report.

If a government didn't launch this malware, where might it have originated? "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," said researchers. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Kaspersky Lab reported finding no connections between the malware and Flame, or any malware that's related to Flame, which security experts believe was built by the U.S. government. Meanwhile, the malware is also much more advanced than the attack code used in the Aurora or Night Dragon attacks, both of which have been ascribed to the Chinese government. "Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated," said Kaspersky Lab.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/17/2013 | 2:29:08 PM
re: Red October Espionage Network Rivals Flame
This group is composed of amateur, but kaspersky according to hack Chinese or Russian.
I found on the website, the lastest informations on this topic :
I give
I give,
User Rank: Apprentice
1/14/2013 | 7:20:57 PM
re: Red October Espionage Network Rivals Flame
This is an arena threat that should be given priority and coverage by the media, the U.S. Congress, industry, finance, Homeland Security, the SEC, presidents, all levels of governemnt and individuals. The threat is greater than that from "global warming", energy, guns, free contraceptives, aging of populations, commerce, and health care. Next to the ability to harness energy, if not equal or greater to it, information is one of few traits which make humans human.
CISOs' No. 1 Concern in 2018: The Talent Gap
Dawn Kawamoto, Associate Editor, Dark Reading,  1/10/2018
'Back to Basics' Might Be Your Best Security Weapon
Lee Waskevich, Vice President, Security Solutions at ePlus Technology,  1/10/2018
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.