Operation Red October - large-scale cyber-espionage uncovered

The structure of the command and control servers serves to conceal the actual point of origin
Source: Kaspersky Lab Security experts at Kaspersky Lab have apparently uncovered a massive case of cyber-espionage. An analysis published on Monday states that computer networks in diplomatic missions, government and trade organisations, energy companies, and research, aerospace and military institutions have been infiltrated for an estimated five years. A sophisticated infrastructure appears to have enabled the unknown hackers to make off with terabytes of highly confidential geopolitical information and other data.

Kaspersky reports that it first found indications of the existence of the espionage infrastructure, designated "Red October" or "Rocra", in October. The investigation that followed uncovered hundreds of infections in major institutions worldwide. The organisations affected were primarily located in Eastern Europe, Central Asia and the former Soviet Union, with the largest number of infections being found in Russia, followed by Kazakhstan and Azerbaijan. The number of infections found in Western Europe and North America was low.

According to Kaspersky, the overall structure of Red October has a complexity comparable to that of Flame. The hackers controlled their network of infected computers from more than 60 domains and numerous servers located in various countries, but principally in Germany and Russia. The servers are, according to Kaspersky, organised in a chain with proxies downstream of the actual C&C servers to impede discovery of the location of the central control points. Registration data for the C&C domains and other information indicates that the attacks have been ongoing since at least May 2007. The system is apparently still active and data continues to be sent to the C&C servers.

The malware itself is similarly complex. The experts have identified more than 1000 files, in around 30 module categories, belonging to it. This setup allowed the hackers to take full advantage of the infections. As well as attacking workstations, the malware modules are able to steal data from mobile devices and tap into network components and local FTP servers. This allows emails to be accessed both locally and via POP or IMAP servers. The malware is also able to steal files, including ones that have been deleted, from USB drives, with Red October apparently using its own proprietary protocol to recover them.

Infections occurred through contaminated attachments to emails like this
Source: Kaspersky Lab

The hackers appear to have used spear phishing techniques to initiate infections. Selected victims were sent emails containing infected attachments, with the attachments designed to be of maximum interest to the target. Following successful infection with the main malware component, further modules for purposes such as infecting the victim's smartphone were then silently downloaded from C&C servers. Security vulnerabilities in Microsoft Word, Microsoft Excel and Adobe Reader were among those exploited to infect victims' computers. According to Kaspersky's analysis, information obtained from infiltrated networks was systematically collated and used for subsequent attacks.

The online spies were particularly interested in files with the extension .acid, created by the program Acid Cryptofiler. According to Kaspersky, this is an encryption application used by organisations including the European Union and NATO.

The identity of those behind this major espionage campaign remains unclear. The Kaspersky team estimates the likelihood that the cyber-espionage has been financed by a single state as low. Certain clues, such as linguistic features in the code, point to the malware modules having been developed by Russian hackers. According to their analysis, the system was developed from scratch and has not been used in any other known case of cyber-espionage.

(fab)