Attacks/Breaches
1/14/2013
03:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Red October' Attacks: The New Face Of Cyberespionage

New cyberspying attacks discovered siphoning terabytes of information from computers, smartphones, routers, and even VoIP phones

A newly uncovered and especially sophisticated cyberespionage initiative against government, diplomatic, and scientific research organizations spanning multiple regions worldwide that has stolen terabytes of information for at least five years could provide a clearer picture of what advanced forms of these attacks really look like.

The so-called "Red October" attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia -- but spanning the U.S. as well -- is more widespread and massive than the infamous Flame cyberspying campaign, according to researchers at Kaspersky Lab, who published a report today on the attacks. They stopped short of labeling Red October as a nation-state effort, but given the custom malware, massive command-and-control infrastructure, and the sheer amount of data stolen, some researchers say a nation-state has to be behind it.

[An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. See Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran. ]

Red October goes after governments, diplomatic offices/embassies, and research, trade/commerce, nuclear/energy, oil and gas, aerospace, and military targets. Kaspersky Lab has tallied several hundred infected organizations from these sectors, mostly in Eastern Europe. Among the infected organizations: 35 in the Russian Federation, 21 in Kazakhstan, 12 in Azerbaijan and Belgium, 14 in India, and six in the U.S.

The attacks even steal data from Windows Mobile, iPhone, and Nokia smartphones at the targeted organizations.

Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab, says Red October is more sophisticated than the average cyberspionage campaign. "It basically goes after everything ... on the desktop, your smartphone, your Cisco router, and your SIP [Session Initiation Protocol] phone ... Absolutely anything that could potentially be interesting and exfiltrated," he says. "So from this point of view, this is what advanced or sophisticated cyberespionage really looks like."

He says the "end customer" of the stolen information is likely a nation-state. It's just not clear based on the technical information Kaspersky has gathered thus far who is actually behind it: The exploits used in the attacks are ones used by Chinese advanced persistent threat (APT) actors, but the malware writers appear to be native Russian-speakers, according to Kaspersky's findings.

"You look at the malware first and foremost versus the exploit to see where it comes from. Exploits can come from anywhere," he says. "You always figure so much stuff is coming from China ... and people like to piggyback on that. But other than there are Russian-speaking people" involved, we don't know who is behind it, he says.

"I do think the end customer is a nation-state, especially with the strong emphasis on diplomatic organizations," Schouwenberg says.

But Dmitri Alperovitch, CTO at CrowdStrike, says the attacks have all the earmarks of a nation-state sponsored initiative. "It seemed very clear that it's a nation-state sponsored operation," Alperovitch says.

With the malware that hasn't been seen before in other cybercrime operations, contractors could be doing the work on behalf of the nation-state actors, he notes. He says it's unlikely a Chinese operation. Even so, attribution is difficult, as always. "It's hard to say: It could be Russia or other Russian-speaking countries, [including] the Ukraine or [Bellarus]. I doubt it's China," he says.

Alperovitch adds that Kaspersky Lab's name for the operation, "Red October," seems to hint of a Russian connection.

Red October doesn't appear to be a single campaign, but, rather, a series of campaigns that may have been launched at various times and targets since 2007. Kaspersky has sinkholed more than 60 domains being used by the malware, and found victims in 39 different countries. Around 250 different IP addresses connected to the sinkhole, which it ran from last Nov. 2 to Jan. 10 of this year. Most of the IPs were from Switzerland, Kazakhstan, and Greece.

"I don't think it was one operator or campaign like Aurora" and other similar APTs, Alperovitch says. "What you are dealing with here is a toolkit framework connected to a number of campaigns over a five- to six-year period.

"It's clear that significant effort went into this tool over time, so it makes sense it was used for more than one operation," he says.

Kaspersky's Schouwenberg says he thinks this is probably only a snapshot of the operation. "Overall, I do think that they probably moved from vertical [industry] to vertical [industry] ... this has been something that has been ongoing, and there might be some things we haven't seen yet," he says.

The attacks started with classic cyberspying spear-phishing emails, loaded with a custom Trojan dropper. The payload includes known exploits for Microsoft Word (CVE-2010-3333 and CVE-2012-0158) and Excel (CVE-2009-3129). The earliest attacks Kaspersky was able to trace used the Excel attack in 2010 and 2011, and attacks in the summer of 2012 employed the Word exploits. "The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks, including Tibetan activists as well as military and energy sector targets in Asia," according to Kaspersky's findings.

The attackers created custom versions of the so-called "Rocra" malware using the exploits. Among the capabilities of the custom malware used in the attacks: a module that lets the attackers regain a foothold into a targeted machine if it has been cleaned up or patched. The module is embedded inside Adobe Reader and Microsoft Office.

Another unique feature of the malware is that it searches for files that are encrypted with Acide Cryptofiler, an obscure encryption package used by NATO and the European Union for protecting sensitive information. Rocra also targets smartphones, routers, and switches, and can access deleted files from removable disk drives.

"They knew exactly what they were targeting," CrowdStrike's Alperovitch says of the Cryptofiler-finding feature. "This is not a global operation trying to get everything off of those infected machines. Whoever was receiving those files has to understand what they contain, how to decrypt them, and has other intelligence collected through other means," he says, all of which indicates that it's a nation-state actor, he says.

The attackers also have some serious big-data capabilities given the volume of information -- terabytes -- they are stealing. "There must be a very serious back end," Kaspersky's Schouwenberg says.

The sheer size of the command-and-control infrastructure, with some 60 domains, shows how "these guys know how to scale," he says.

Kaspersky Lab is working with law enforcement and CERT teams around the globe in the investigation into Red October. Kaspersky Lab's report on Red October is available here, and the firm is promising to publish a second part of the report later this week with more technical details.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.