12:51 PM
Connect Directly

Red October Espionage Network Rivals Flame

Newly discovered espionage malware infrastructure largely targets organizations in Eastern Europe and Asia.

Security researchers have uncovered an espionage malware network that's been operating undetected for at least five years and that has likely stolen quantities of data that stretch into the terabytes.

"The campaign, identified as 'Rocra' -- short for 'Red October' -- is currently still active, with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware," read research published by Kaspersky Lab.

Operation Red October involves a series of highly targeted attacks. "All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing, and every single module is specifically compiled for the victim with a unique victim ID inside," said Kaspersky Lab. In addition, it said attacks are also customized based on the target's native language, the specific software installed on their system, and the types of documents they prefer to use.

[ Did recent attacks on U.S. banks really have ties to Iran? Read more at Bank Attacker Iran Ties Questioned By Security Pros. ]

Kaspersky Lab said it first learned of the attacks in October 2012, after being supplied -- by a third party that wishes to remain anonymous -- with samples of spear-phishing emails and malware modules being used by attackers. Interestingly, the spear-phishing attack emails appear to have been recycled from an attack campaign that targeted Tibetan activists, as well as military organizations and energy companies in Asia. Attackers, however, substituted their own malicious code.

Working with US-CERT as well as the Romanian CERT and the Belarusian CERT, Kaspersky Lab said it began monitoring the malware used by attackers on Nov. 2, 2012. By Jan. 10, 2013, it had seen 250 different IP addresses registering more than 55,000 connections to a sinkhole it created to study the attacks.

The greatest number of Rocra-infected PCs (35) appear to be in the Russian Federation, followed by Kazakhstan (21), Azerbaijan (15), Belgium (15) and India (14). "The infections we've identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg," read the report.

The malware being used by attackers, which is still active, has primarily targeted organizations belonging to one of the following eight categories: government, diplomatic (including embassies), research institutions, trade and commerce, nuclear or energy research, oil and gas, aerospace, and military.

Once the malware infects a PC, it serves as a launch pad for further attack code, which typically gets downloaded once, executed and then deleted. Other modules, however, such as malicious code that waits for a smartphone to be connected to a PC and then steals data from the device, remain indefinitely active. "During our investigation, we've uncovered over 1,000 modules belonging to 30 different module categories," said Kaspersky Lab. "These have been created between 2007 with the most recent being compiled on 8th Jan 2013."

Various modules offer the ability to retrieve Windows and Outlook account hashes, steal information stored on locally connected USB devices or smartphones -- iPhone, Android, Nokia and Windows Mobile -- as well as record keystrokes and webcam images, scan for open ports, grab and upload interesting files and more.

A network of command-and-control (C&C) servers is interfacing with the infected PCs to retrieve stolen data. "We uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany," reported Kaspersky Lab. But again, it's unclear who's controlling the C&C servers, or where they're located. "The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -- mothership -- command and control server," the report read.

Some of the documents stolen by attackers have filenames that end with the "acid" extension, such as "acidcsa" and "acidsca." According to Kaspersky Lab, the 'acid*' extensions appear to refer to the classified software 'Acid Cryptofiler,' which is used by several entities such as the European Union and/or NATO.

Who built Rocra? According to Kaspersky Lab, the exploits appear to have been created by Chinese hackers, although the malware modules were apparently written by Russian-language speakers. Indeed, the report from Kaspersky Lab, which is based in Moscow and was founded by Russian security expert Eugene Kaspersky, also reported finding typos and misspellings in the malware code that appear to be Russian-language slang terms, including the word "progra," which is a transliteration of Russian software engineer slang for an application. The word "zakladka" also appears in the code, which in Russian can refer to a "bookmark" but is also a slang term for "undeclared functionality" in hardware and software. According to the researchers, however, it may also mean a microphone embedded in a brick of the embassy building.

Despite the Chinese and Russian ties, however, currently there is no evidence linking this with a nation-state sponsored attack, according to the report.

If a government didn't launch this malware, where might it have originated? "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," said researchers. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Kaspersky Lab reported finding no connections between the malware and Flame, or any malware that's related to Flame, which security experts believe was built by the U.S. government. Meanwhile, the malware is also much more advanced than the attack code used in the Aurora or Night Dragon attacks, both of which have been ascribed to the Chinese government. "Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated," said Kaspersky Lab.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I give
I give,
User Rank: Apprentice
1/14/2013 | 7:20:57 PM
re: Red October Espionage Network Rivals Flame
This is an arena threat that should be given priority and coverage by the media, the U.S. Congress, industry, finance, Homeland Security, the SEC, presidents, all levels of governemnt and individuals. The threat is greater than that from "global warming", energy, guns, free contraceptives, aging of populations, commerce, and health care. Next to the ability to harness energy, if not equal or greater to it, information is one of few traits which make humans human.
User Rank: Apprentice
1/17/2013 | 2:29:08 PM
re: Red October Espionage Network Rivals Flame
This group is composed of amateur, but kaspersky according to hack Chinese or Russian.
I found on the website, the lastest informations on this topic :
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.