Attacks/Breaches
1/14/2013
12:51 PM
50%
50%

Red October Espionage Network Rivals Flame

Newly discovered espionage malware infrastructure largely targets organizations in Eastern Europe and Asia.

Security researchers have uncovered an espionage malware network that's been operating undetected for at least five years and that has likely stolen quantities of data that stretch into the terabytes.

"The campaign, identified as 'Rocra' -- short for 'Red October' -- is currently still active, with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware," read research published by Kaspersky Lab.

Operation Red October involves a series of highly targeted attacks. "All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing, and every single module is specifically compiled for the victim with a unique victim ID inside," said Kaspersky Lab. In addition, it said attacks are also customized based on the target's native language, the specific software installed on their system, and the types of documents they prefer to use.

[ Did recent attacks on U.S. banks really have ties to Iran? Read more at Bank Attacker Iran Ties Questioned By Security Pros. ]

Kaspersky Lab said it first learned of the attacks in October 2012, after being supplied -- by a third party that wishes to remain anonymous -- with samples of spear-phishing emails and malware modules being used by attackers. Interestingly, the spear-phishing attack emails appear to have been recycled from an attack campaign that targeted Tibetan activists, as well as military organizations and energy companies in Asia. Attackers, however, substituted their own malicious code.

Working with US-CERT as well as the Romanian CERT and the Belarusian CERT, Kaspersky Lab said it began monitoring the malware used by attackers on Nov. 2, 2012. By Jan. 10, 2013, it had seen 250 different IP addresses registering more than 55,000 connections to a sinkhole it created to study the attacks.

The greatest number of Rocra-infected PCs (35) appear to be in the Russian Federation, followed by Kazakhstan (21), Azerbaijan (15), Belgium (15) and India (14). "The infections we've identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg," read the report.

The malware being used by attackers, which is still active, has primarily targeted organizations belonging to one of the following eight categories: government, diplomatic (including embassies), research institutions, trade and commerce, nuclear or energy research, oil and gas, aerospace, and military.

Once the malware infects a PC, it serves as a launch pad for further attack code, which typically gets downloaded once, executed and then deleted. Other modules, however, such as malicious code that waits for a smartphone to be connected to a PC and then steals data from the device, remain indefinitely active. "During our investigation, we've uncovered over 1,000 modules belonging to 30 different module categories," said Kaspersky Lab. "These have been created between 2007 with the most recent being compiled on 8th Jan 2013."

Various modules offer the ability to retrieve Windows and Outlook account hashes, steal information stored on locally connected USB devices or smartphones -- iPhone, Android, Nokia and Windows Mobile -- as well as record keystrokes and webcam images, scan for open ports, grab and upload interesting files and more.

A network of command-and-control (C&C) servers is interfacing with the infected PCs to retrieve stolen data. "We uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany," reported Kaspersky Lab. But again, it's unclear who's controlling the C&C servers, or where they're located. "The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -- mothership -- command and control server," the report read.

Some of the documents stolen by attackers have filenames that end with the "acid" extension, such as "acidcsa" and "acidsca." According to Kaspersky Lab, the 'acid*' extensions appear to refer to the classified software 'Acid Cryptofiler,' which is used by several entities such as the European Union and/or NATO.

Who built Rocra? According to Kaspersky Lab, the exploits appear to have been created by Chinese hackers, although the malware modules were apparently written by Russian-language speakers. Indeed, the report from Kaspersky Lab, which is based in Moscow and was founded by Russian security expert Eugene Kaspersky, also reported finding typos and misspellings in the malware code that appear to be Russian-language slang terms, including the word "progra," which is a transliteration of Russian software engineer slang for an application. The word "zakladka" also appears in the code, which in Russian can refer to a "bookmark" but is also a slang term for "undeclared functionality" in hardware and software. According to the researchers, however, it may also mean a microphone embedded in a brick of the embassy building.

Despite the Chinese and Russian ties, however, currently there is no evidence linking this with a nation-state sponsored attack, according to the report.

If a government didn't launch this malware, where might it have originated? "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," said researchers. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Kaspersky Lab reported finding no connections between the malware and Flame, or any malware that's related to Flame, which security experts believe was built by the U.S. government. Meanwhile, the malware is also much more advanced than the attack code used in the Aurora or Night Dragon attacks, both of which have been ascribed to the Chinese government. "Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated," said Kaspersky Lab.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
malo46
50%
50%
malo46,
User Rank: Apprentice
1/17/2013 | 2:29:08 PM
re: Red October Espionage Network Rivals Flame
This group is composed of amateur, but kaspersky according to hack Chinese or Russian.
I found on the website, the lastest informations on this topic :
http://www.techweekeurope.co.u...
I give
50%
50%
I give,
User Rank: Apprentice
1/14/2013 | 7:20:57 PM
re: Red October Espionage Network Rivals Flame
This is an arena threat that should be given priority and coverage by the media, the U.S. Congress, industry, finance, Homeland Security, the SEC, presidents, all levels of governemnt and individuals. The threat is greater than that from "global warming", energy, guns, free contraceptives, aging of populations, commerce, and health care. Next to the ability to harness energy, if not equal or greater to it, information is one of few traits which make humans human.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2013-4663
Published: 2014-12-27
git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function.

CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.