Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/14/2013
03:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Red October' Attacks: The New Face Of Cyberespionage

New cyberspying attacks discovered siphoning terabytes of information from computers, smartphones, routers, and even VoIP phones

A newly uncovered and especially sophisticated cyberespionage initiative against government, diplomatic, and scientific research organizations spanning multiple regions worldwide that has stolen terabytes of information for at least five years could provide a clearer picture of what advanced forms of these attacks really look like.

The so-called "Red October" attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia -- but spanning the U.S. as well -- is more widespread and massive than the infamous Flame cyberspying campaign, according to researchers at Kaspersky Lab, who published a report today on the attacks. They stopped short of labeling Red October as a nation-state effort, but given the custom malware, massive command-and-control infrastructure, and the sheer amount of data stolen, some researchers say a nation-state has to be behind it.

[An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. See Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran. ]

Red October goes after governments, diplomatic offices/embassies, and research, trade/commerce, nuclear/energy, oil and gas, aerospace, and military targets. Kaspersky Lab has tallied several hundred infected organizations from these sectors, mostly in Eastern Europe. Among the infected organizations: 35 in the Russian Federation, 21 in Kazakhstan, 12 in Azerbaijan and Belgium, 14 in India, and six in the U.S.

The attacks even steal data from Windows Mobile, iPhone, and Nokia smartphones at the targeted organizations.

Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab, says Red October is more sophisticated than the average cyberspionage campaign. "It basically goes after everything ... on the desktop, your smartphone, your Cisco router, and your SIP [Session Initiation Protocol] phone ... Absolutely anything that could potentially be interesting and exfiltrated," he says. "So from this point of view, this is what advanced or sophisticated cyberespionage really looks like."

He says the "end customer" of the stolen information is likely a nation-state. It's just not clear based on the technical information Kaspersky has gathered thus far who is actually behind it: The exploits used in the attacks are ones used by Chinese advanced persistent threat (APT) actors, but the malware writers appear to be native Russian-speakers, according to Kaspersky's findings.

"You look at the malware first and foremost versus the exploit to see where it comes from. Exploits can come from anywhere," he says. "You always figure so much stuff is coming from China ... and people like to piggyback on that. But other than there are Russian-speaking people" involved, we don't know who is behind it, he says.

"I do think the end customer is a nation-state, especially with the strong emphasis on diplomatic organizations," Schouwenberg says.

But Dmitri Alperovitch, CTO at CrowdStrike, says the attacks have all the earmarks of a nation-state sponsored initiative. "It seemed very clear that it's a nation-state sponsored operation," Alperovitch says.

With the malware that hasn't been seen before in other cybercrime operations, contractors could be doing the work on behalf of the nation-state actors, he notes. He says it's unlikely a Chinese operation. Even so, attribution is difficult, as always. "It's hard to say: It could be Russia or other Russian-speaking countries, [including] the Ukraine or [Bellarus]. I doubt it's China," he says.

Alperovitch adds that Kaspersky Lab's name for the operation, "Red October," seems to hint of a Russian connection.

Red October doesn't appear to be a single campaign, but, rather, a series of campaigns that may have been launched at various times and targets since 2007. Kaspersky has sinkholed more than 60 domains being used by the malware, and found victims in 39 different countries. Around 250 different IP addresses connected to the sinkhole, which it ran from last Nov. 2 to Jan. 10 of this year. Most of the IPs were from Switzerland, Kazakhstan, and Greece.

"I don't think it was one operator or campaign like Aurora" and other similar APTs, Alperovitch says. "What you are dealing with here is a toolkit framework connected to a number of campaigns over a five- to six-year period.

"It's clear that significant effort went into this tool over time, so it makes sense it was used for more than one operation," he says.

Kaspersky's Schouwenberg says he thinks this is probably only a snapshot of the operation. "Overall, I do think that they probably moved from vertical [industry] to vertical [industry] ... this has been something that has been ongoing, and there might be some things we haven't seen yet," he says.

The attacks started with classic cyberspying spear-phishing emails, loaded with a custom Trojan dropper. The payload includes known exploits for Microsoft Word (CVE-2010-3333 and CVE-2012-0158) and Excel (CVE-2009-3129). The earliest attacks Kaspersky was able to trace used the Excel attack in 2010 and 2011, and attacks in the summer of 2012 employed the Word exploits. "The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks, including Tibetan activists as well as military and energy sector targets in Asia," according to Kaspersky's findings.

The attackers created custom versions of the so-called "Rocra" malware using the exploits. Among the capabilities of the custom malware used in the attacks: a module that lets the attackers regain a foothold into a targeted machine if it has been cleaned up or patched. The module is embedded inside Adobe Reader and Microsoft Office.

Another unique feature of the malware is that it searches for files that are encrypted with Acide Cryptofiler, an obscure encryption package used by NATO and the European Union for protecting sensitive information. Rocra also targets smartphones, routers, and switches, and can access deleted files from removable disk drives.

"They knew exactly what they were targeting," CrowdStrike's Alperovitch says of the Cryptofiler-finding feature. "This is not a global operation trying to get everything off of those infected machines. Whoever was receiving those files has to understand what they contain, how to decrypt them, and has other intelligence collected through other means," he says, all of which indicates that it's a nation-state actor, he says.

The attackers also have some serious big-data capabilities given the volume of information -- terabytes -- they are stealing. "There must be a very serious back end," Kaspersky's Schouwenberg says.

The sheer size of the command-and-control infrastructure, with some 60 domains, shows how "these guys know how to scale," he says.

Kaspersky Lab is working with law enforcement and CERT teams around the globe in the investigation into Red October. Kaspersky Lab's report on Red October is available here, and the firm is promising to publish a second part of the report later this week with more technical details.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18923
PUBLISHED: 2019-11-13
Insufficient content type validation of proxied resources in go-camo before 2.1.1 allows a remote attacker to serve arbitrary content from go-camo's origin.
CVE-2010-4664
PUBLISHED: 2019-11-13
In ConsoleKit before 0.4.2, an intended security policy restriction bypass was found. This flaw allows an authenticated system user to escalate their privileges by initiating a remote VNC session.
CVE-2010-4817
PUBLISHED: 2019-11-13
pithos before 0.3.5 allows overwrite of arbitrary files via symlinks.
CVE-2013-3097
PUBLISHED: 2019-11-13
Unspecified Cross-site scripting (XSS) vulnerability in the Verizon FIOS Actiontec MI424WR-GEN3I router.
CVE-2013-3366
PUBLISHED: 2019-11-13
Undocumented TELNET service in TRENDnet TEW-812DRU when a web page named backdoor contains an HTML parameter of password and a value of j78G�DFdg_24Mhw3.