Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/14/2013
03:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Red October' Attacks: The New Face Of Cyberespionage

New cyberspying attacks discovered siphoning terabytes of information from computers, smartphones, routers, and even VoIP phones

A newly uncovered and especially sophisticated cyberespionage initiative against government, diplomatic, and scientific research organizations spanning multiple regions worldwide that has stolen terabytes of information for at least five years could provide a clearer picture of what advanced forms of these attacks really look like.

The so-called "Red October" attacks targeting diplomatic entities mainly in Eastern Europe and Central Asia -- but spanning the U.S. as well -- is more widespread and massive than the infamous Flame cyberspying campaign, according to researchers at Kaspersky Lab, who published a report today on the attacks. They stopped short of labeling Red October as a nation-state effort, but given the custom malware, massive command-and-control infrastructure, and the sheer amount of data stolen, some researchers say a nation-state has to be behind it.

[An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. See Stuxnet, Duqu, Flame Targeted Illegal Windows Systems In Iran. ]

Red October goes after governments, diplomatic offices/embassies, and research, trade/commerce, nuclear/energy, oil and gas, aerospace, and military targets. Kaspersky Lab has tallied several hundred infected organizations from these sectors, mostly in Eastern Europe. Among the infected organizations: 35 in the Russian Federation, 21 in Kazakhstan, 12 in Azerbaijan and Belgium, 14 in India, and six in the U.S.

The attacks even steal data from Windows Mobile, iPhone, and Nokia smartphones at the targeted organizations.

Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab, says Red October is more sophisticated than the average cyberspionage campaign. "It basically goes after everything ... on the desktop, your smartphone, your Cisco router, and your SIP [Session Initiation Protocol] phone ... Absolutely anything that could potentially be interesting and exfiltrated," he says. "So from this point of view, this is what advanced or sophisticated cyberespionage really looks like."

He says the "end customer" of the stolen information is likely a nation-state. It's just not clear based on the technical information Kaspersky has gathered thus far who is actually behind it: The exploits used in the attacks are ones used by Chinese advanced persistent threat (APT) actors, but the malware writers appear to be native Russian-speakers, according to Kaspersky's findings.

"You look at the malware first and foremost versus the exploit to see where it comes from. Exploits can come from anywhere," he says. "You always figure so much stuff is coming from China ... and people like to piggyback on that. But other than there are Russian-speaking people" involved, we don't know who is behind it, he says.

"I do think the end customer is a nation-state, especially with the strong emphasis on diplomatic organizations," Schouwenberg says.

But Dmitri Alperovitch, CTO at CrowdStrike, says the attacks have all the earmarks of a nation-state sponsored initiative. "It seemed very clear that it's a nation-state sponsored operation," Alperovitch says.

With the malware that hasn't been seen before in other cybercrime operations, contractors could be doing the work on behalf of the nation-state actors, he notes. He says it's unlikely a Chinese operation. Even so, attribution is difficult, as always. "It's hard to say: It could be Russia or other Russian-speaking countries, [including] the Ukraine or [Bellarus]. I doubt it's China," he says.

Alperovitch adds that Kaspersky Lab's name for the operation, "Red October," seems to hint of a Russian connection.

Red October doesn't appear to be a single campaign, but, rather, a series of campaigns that may have been launched at various times and targets since 2007. Kaspersky has sinkholed more than 60 domains being used by the malware, and found victims in 39 different countries. Around 250 different IP addresses connected to the sinkhole, which it ran from last Nov. 2 to Jan. 10 of this year. Most of the IPs were from Switzerland, Kazakhstan, and Greece.

"I don't think it was one operator or campaign like Aurora" and other similar APTs, Alperovitch says. "What you are dealing with here is a toolkit framework connected to a number of campaigns over a five- to six-year period.

"It's clear that significant effort went into this tool over time, so it makes sense it was used for more than one operation," he says.

Kaspersky's Schouwenberg says he thinks this is probably only a snapshot of the operation. "Overall, I do think that they probably moved from vertical [industry] to vertical [industry] ... this has been something that has been ongoing, and there might be some things we haven't seen yet," he says.

The attacks started with classic cyberspying spear-phishing emails, loaded with a custom Trojan dropper. The payload includes known exploits for Microsoft Word (CVE-2010-3333 and CVE-2012-0158) and Excel (CVE-2009-3129). The earliest attacks Kaspersky was able to trace used the Excel attack in 2010 and 2011, and attacks in the summer of 2012 employed the Word exploits. "The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks, including Tibetan activists as well as military and energy sector targets in Asia," according to Kaspersky's findings.

The attackers created custom versions of the so-called "Rocra" malware using the exploits. Among the capabilities of the custom malware used in the attacks: a module that lets the attackers regain a foothold into a targeted machine if it has been cleaned up or patched. The module is embedded inside Adobe Reader and Microsoft Office.

Another unique feature of the malware is that it searches for files that are encrypted with Acide Cryptofiler, an obscure encryption package used by NATO and the European Union for protecting sensitive information. Rocra also targets smartphones, routers, and switches, and can access deleted files from removable disk drives.

"They knew exactly what they were targeting," CrowdStrike's Alperovitch says of the Cryptofiler-finding feature. "This is not a global operation trying to get everything off of those infected machines. Whoever was receiving those files has to understand what they contain, how to decrypt them, and has other intelligence collected through other means," he says, all of which indicates that it's a nation-state actor, he says.

The attackers also have some serious big-data capabilities given the volume of information -- terabytes -- they are stealing. "There must be a very serious back end," Kaspersky's Schouwenberg says.

The sheer size of the command-and-control infrastructure, with some 60 domains, shows how "these guys know how to scale," he says.

Kaspersky Lab is working with law enforcement and CERT teams around the globe in the investigation into Red October. Kaspersky Lab's report on Red October is available here, and the firm is promising to publish a second part of the report later this week with more technical details.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...