Red October closes as Kaspersky publishes more details

Red October's 1st Stage Attack
Source: Kaspersky Almost as soon as Kaspersky began publishing details about the Red October cyberespionage network, the command and control systems behind the apparently five-year-old digital spying ring began closing down. According to a posting on Kaspersky's threatpost, the researchers who exposed the network on Monday say that "not only [are] the registrars killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation".

The second part of Kaspersky Lab's analysis of Operation Red October lays out the technical details of the large-scale cyberespionage campaign. In it, Kaspersky explains more precisely how the various modules worked together to steal data.

For example, the campaign was not limited to computers, but also stole data from mobile phones connected to those computers, with special tools for iPhones and Nokia smartphones. As soon as a smartphone was connected, the module searched for any photos, Office documents, voice recordings and other potentially interesting file types on the device. When a Windows Mobile smartphone was connected, the Trojan module even copied a spyware program onto it.

In addition, the perpetrators didn't only rely on a typical backdoor program, but also made use of an unusual arsenal, including plugins for Adobe's Acrobat Reader and Microsoft Office that anti-virus programs rarely detected. In this way, infected systems could easily be taken over again even after they had been cleaned with an anti-virus program: the victims were simply once again supplied with PDFs or Office files that hid malicious encrypted code. The plugins waited for the document to be opened and then decrypted and executed the malicious code.

Nevertheless, after its exhaustive analysis, Kaspersky Lab does not consider Operation Red October, which made use of the Sputnik family of malware, to be the most impressive espionage campaign it has seen. As Kaspersky security researcher Kurt Baumgartner told Ars Technica: "In my opinion, Flame is the queen mother of advanced attack methodology". Flame distinguishes itself among espionage Trojans, he explained, because of its unique man-in-the-middle manipulation of Microsoft's update system, allowing it to make its way from one infected computer to the next.

IT Pro Portal writes that, after five years undetected, Operation Red October (also known as "Rocra") was finally exposed because of human errors by its operators, leaving, for example, source code on infected sites. Kaspersky Lab says that it became involved because of a client request and set up test computers that, once infected, allowed it to take a close look at the campaign.

(djwm)