Attacks/Breaches
1/14/2013
03:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Red October' Attacks: The New Face Of Cyberespionage

New cyberspying attacks discovered siphoning terabytes of information from computers, smartphones, routers, and even VoIP phones

A newly uncovered and especially sophisticated cyberespionage initiative against government, diplomatic, and scientific research organizations spanning multiple regions worldwide that has stolen terabytes of information for at least five years could provide a clearer picture of what advanced forms of these attacks really look like.

The so-called "Red October" attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia -- but spanning the U.S. as well -- is more widespread and massive than the infamous Flame cyberspying campaign, according to researchers at Kaspersky Lab, who published a report today on the attacks. They stopped short of labeling Red October as a nation-state effort, but given the custom malware, massive command-and-control infrastructure, and the sheer amount of data stolen, some researchers say a nation-state has to be behind it.

[An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. See Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran. ]

Red October goes after governments, diplomatic offices/embassies, and research, trade/commerce, nuclear/energy, oil and gas, aerospace, and military targets. Kaspersky Lab has tallied several hundred infected organizations from these sectors, mostly in Eastern Europe. Among the infected organizations: 35 in the Russian Federation, 21 in Kazakhstan, 12 in Azerbaijan and Belgium, 14 in India, and six in the U.S.

The attacks even steal data from Windows Mobile, iPhone, and Nokia smartphones at the targeted organizations.

Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab, says Red October is more sophisticated than the average cyberspionage campaign. "It basically goes after everything ... on the desktop, your smartphone, your Cisco router, and your SIP [Session Initiation Protocol] phone ... Absolutely anything that could potentially be interesting and exfiltrated," he says. "So from this point of view, this is what advanced or sophisticated cyberespionage really looks like."

He says the "end customer" of the stolen information is likely a nation-state. It's just not clear based on the technical information Kaspersky has gathered thus far who is actually behind it: The exploits used in the attacks are ones used by Chinese advanced persistent threat (APT) actors, but the malware writers appear to be native Russian-speakers, according to Kaspersky's findings.

"You look at the malware first and foremost versus the exploit to see where it comes from. Exploits can come from anywhere," he says. "You always figure so much stuff is coming from China ... and people like to piggyback on that. But other than there are Russian-speaking people" involved, we don't know who is behind it, he says.

"I do think the end customer is a nation-state, especially with the strong emphasis on diplomatic organizations," Schouwenberg says.

But Dmitri Alperovitch, CTO at CrowdStrike, says the attacks have all the earmarks of a nation-state sponsored initiative. "It seemed very clear that it's a nation-state sponsored operation," Alperovitch says.

With the malware that hasn't been seen before in other cybercrime operations, contractors could be doing the work on behalf of the nation-state actors, he notes. He says it's unlikely a Chinese operation. Even so, attribution is difficult, as always. "It's hard to say: It could be Russia or other Russian-speaking countries, [including] the Ukraine or [Bellarus]. I doubt it's China," he says.

Alperovitch adds that Kaspersky Lab's name for the operation, "Red October," seems to hint of a Russian connection.

Red October doesn't appear to be a single campaign, but, rather, a series of campaigns that may have been launched at various times and targets since 2007. Kaspersky has sinkholed more than 60 domains being used by the malware, and found victims in 39 different countries. Around 250 different IP addresses connected to the sinkhole, which it ran from last Nov. 2 to Jan. 10 of this year. Most of the IPs were from Switzerland, Kazakhstan, and Greece.

"I don't think it was one operator or campaign like Aurora" and other similar APTs, Alperovitch says. "What you are dealing with here is a toolkit framework connected to a number of campaigns over a five- to six-year period.

"It's clear that significant effort went into this tool over time, so it makes sense it was used for more than one operation," he says.

Kaspersky's Schouwenberg says he thinks this is probably only a snapshot of the operation. "Overall, I do think that they probably moved from vertical [industry] to vertical [industry] ... this has been something that has been ongoing, and there might be some things we haven't seen yet," he says.

The attacks started with classic cyberspying spear-phishing emails, loaded with a custom Trojan dropper. The payload includes known exploits for Microsoft Word (CVE-2010-3333 and CVE-2012-0158) and Excel (CVE-2009-3129). The earliest attacks Kaspersky was able to trace used the Excel attack in 2010 and 2011, and attacks in the summer of 2012 employed the Word exploits. "The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks, including Tibetan activists as well as military and energy sector targets in Asia," according to Kaspersky's findings.

The attackers created custom versions of the so-called "Rocra" malware using the exploits. Among the capabilities of the custom malware used in the attacks: a module that lets the attackers regain a foothold into a targeted machine if it has been cleaned up or patched. The module is embedded inside Adobe Reader and Microsoft Office.

Another unique feature of the malware is that it searches for files that are encrypted with Acide Cryptofiler, an obscure encryption package used by NATO and the European Union for protecting sensitive information. Rocra also targets smartphones, routers, and switches, and can access deleted files from removable disk drives.

"They knew exactly what they were targeting," CrowdStrike's Alperovitch says of the Cryptofiler-finding feature. "This is not a global operation trying to get everything off of those infected machines. Whoever was receiving those files has to understand what they contain, how to decrypt them, and has other intelligence collected through other means," he says, all of which indicates that it's a nation-state actor, he says.

The attackers also have some serious big-data capabilities given the volume of information -- terabytes -- they are stealing. "There must be a very serious back end," Kaspersky's Schouwenberg says.

The sheer size of the command-and-control infrastructure, with some 60 domains, shows how "these guys know how to scale," he says.

Kaspersky Lab is working with law enforcement and CERT teams around the globe in the investigation into Red October. Kaspersky Lab's report on Red October is available here, and the firm is promising to publish a second part of the report later this week with more technical details.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.