Skip Links

Kaspersky identifies 'Red October' cyberespionage network

It is not know whether the operation was state-sponsored or a criminal group gathering information to sell to the highest bidder

By Antone Gonsalves, CSO
January 15, 2013 07:33 AM ET

CSO - Since 2007, a cyberespionage network has been stealing confidential data from private industry and government and research organizations in Eastern Europe, former Soviet republics and Central Asian countries, a security firm reported Monday.

The future of malware

The network, called Red October, has also stolen sensitive information from organizations in Western Europe and the U.S., but the focus was in the other regions, Kaspersky Lab said.

Most victims were diplomatic and government organizations, scientific research institutions, nuclear and energy groups, private trade groups and companies in the aerospace industries.

Kaspersky said it did not know whether the operation was state-sponsored or a criminal group gathering information to sell to the highest bidder. "The most probable scenario is for the end-customer to be a nation-state," Roel Schouwenberg, a senior researcher at Kaspersky Lab, told CSO Online.

Kaspersky discovered the network last year during an investigation stemming from a series of attacks against the computer networks of diplomatic service agencies.

The attackers, believed to have "Russian-speaking origins," used malware with a unique modular architecture comprising of malicious extensions, information-stealing code and backdoor Trojans. The malware is called Rocra, which is short for Red October.

The cyberespionage network compromised systems of hundreds of victims across 69 companies, Schouwenberg said. "It’s likely there are more victims out there that we’re currently not aware of."

[See also: Chinese cyberespionage threatens U.S. economy, DoD says]

Like cascading dominoes, computer systems fell as information stolen from one was used to penetrate another. For example, stolen credentials were compiled in a list and then used to guess passwords or phrases to gain access to additional systems.

The attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority in Germany and Russia. The majority of servers were used as proxies, in order to hide the command-and-control server at the core of the operation.

The stolen data had a wide variety of extensions. One extension not seen as a target before was "acid," which appears to be documents encrypted with classified software called "Acid Cryptofiler." The European Union and the North Atlantic Treaty Organization use the software.

"Previously targeted attacks that have been analyzed and reported did not focus on stealing files that were encrypted with Acid Cryptofiler," Schouwenberg said.

The attackers used spear-phishing emails to lure victims into opening attachments that exploited vulnerabilities in Microsoft Office and Excel applications.

The exploit code had been used before in cyberattacks on Tibetan activists and military and energy-related targets in Asia, Kaspersky said. The embedded executable was unique to Rocra.

Among the unusual attributes of the Rocra malware was a "resurrection" module embedded as a plug-in in Adobe Reader and Microsoft Office applications. The plug-in made it possible for attackers to regain control of a system after the main body of the malware was discovered and removed.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News