Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Red October Espionage Network Rivals Flame

Newly discovered espionage malware infrastructure largely targets organizations in Eastern Europe and Asia.

Security researchers have uncovered an espionage malware network that's been operating undetected for at least five years and that has likely stolen quantities of data that stretch into the terabytes.

"The campaign, identified as 'Rocra' -- short for 'Red October' -- is currently still active, with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware," read research published by Kaspersky Lab.

Operation Red October involves a series of highly targeted attacks. "All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing, and every single module is specifically compiled for the victim with a unique victim ID inside," said Kaspersky Lab. In addition, it said attacks are also customized based on the target's native language, the specific software installed on their system, and the types of documents they prefer to use.

[ Did recent attacks on U.S. banks really have ties to Iran? Read more at Bank Attacker Iran Ties Questioned By Security Pros. ]

Kaspersky Lab said it first learned of the attacks in October 2012, after being supplied -- by a third party that wishes to remain anonymous -- with samples of spear-phishing emails and malware modules being used by attackers. Interestingly, the spear-phishing attack emails appear to have been recycled from an attack campaign that targeted Tibetan activists, as well as military organizations and energy companies in Asia. Attackers, however, substituted their own malicious code.

Working with US-CERT as well as the Romanian CERT and the Belarusian CERT, Kaspersky Lab said it began monitoring the malware used by attackers on Nov. 2, 2012. By Jan. 10, 2013, it had seen 250 different IP addresses registering more than 55,000 connections to a sinkhole it created to study the attacks.

The greatest number of Rocra-infected PCs (35) appear to be in the Russian Federation, followed by Kazakhstan (21), Azerbaijan (15), Belgium (15) and India (14). "The infections we've identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg," read the report.

The malware being used by attackers, which is still active, has primarily targeted organizations belonging to one of the following eight categories: government, diplomatic (including embassies), research institutions, trade and commerce, nuclear or energy research, oil and gas, aerospace, and military.

Once the malware infects a PC, it serves as a launch pad for further attack code, which typically gets downloaded once, executed and then deleted. Other modules, however, such as malicious code that waits for a smartphone to be connected to a PC and then steals data from the device, remain indefinitely active. "During our investigation, we've uncovered over 1,000 modules belonging to 30 different module categories," said Kaspersky Lab. "These have been created between 2007 with the most recent being compiled on 8th Jan 2013."

Various modules offer the ability to retrieve Windows and Outlook account hashes, steal information stored on locally connected USB devices or smartphones -- iPhone, Android, Nokia and Windows Mobile -- as well as record keystrokes and webcam images, scan for open ports, grab and upload interesting files and more.

A network of command-and-control (C&C) servers is interfacing with the infected PCs to retrieve stolen data. "We uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany," reported Kaspersky Lab. But again, it's unclear who's controlling the C&C servers, or where they're located. "The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -- mothership -- command and control server," the report read.

Some of the documents stolen by attackers have filenames that end with the "acid" extension, such as "acidcsa" and "acidsca." According to Kaspersky Lab, the 'acid*' extensions appear to refer to the classified software 'Acid Cryptofiler,' which is used by several entities such as the European Union and/or NATO.

Who built Rocra? According to Kaspersky Lab, the exploits appear to have been created by Chinese hackers, although the malware modules were apparently written by Russian-language speakers. Indeed, the report from Kaspersky Lab, which is based in Moscow and was founded by Russian security expert Eugene Kaspersky, also reported finding typos and misspellings in the malware code that appear to be Russian-language slang terms, including the word "progra," which is a transliteration of Russian software engineer slang for an application. The word "zakladka" also appears in the code, which in Russian can refer to a "bookmark" but is also a slang term for "undeclared functionality" in hardware and software. According to the researchers, however, it may also mean a microphone embedded in a brick of the embassy building.

Despite the Chinese and Russian ties, however, currently there is no evidence linking this with a nation-state sponsored attack, according to the report.

If a government didn't launch this malware, where might it have originated? "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," said researchers. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Kaspersky Lab reported finding no connections between the malware and Flame, or any malware that's related to Flame, which security experts believe was built by the U.S. government. Meanwhile, the malware is also much more advanced than the attack code used in the Aurora or Night Dragon attacks, both of which have been ascribed to the Chinese government. "Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated," said Kaspersky Lab.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/17/2013 | 2:29:08 PM
re: Red October Espionage Network Rivals Flame
This group is composed of amateur, but kaspersky according to hack Chinese or Russian.
I found on the website, the lastest informations on this topic :
I give
I give,
User Rank: Apprentice
1/14/2013 | 7:20:57 PM
re: Red October Espionage Network Rivals Flame
This is an arena threat that should be given priority and coverage by the media, the U.S. Congress, industry, finance, Homeland Security, the SEC, presidents, all levels of governemnt and individuals. The threat is greater than that from "global warming", energy, guns, free contraceptives, aging of populations, commerce, and health care. Next to the ability to harness energy, if not equal or greater to it, information is one of few traits which make humans human.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.
PUBLISHED: 2021-05-07
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
PUBLISHED: 2021-05-07
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
PUBLISHED: 2021-05-07
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.