Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

‘Red October’ Cyber Espionage Campaign Rivals Flame in Complexity

Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.

Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.

Red October AttacksThe campaign, dubbed ‘Red October‘ by security researchers, is  believed to have been started by a Russian-speaking group that targeted institutions throughout the world using malware that not only targeted workstations, but also mobile devices such as Windows Mobile and the Apple iPhone.

The investigation into the campaign was run by researchers from Kaspersky Lab and several Computer Emergency Response Teams (CERTs) in the U.S., Belarus and Romania. The largest number of infections was found in the Russian Federation, with Kazakhstan being the second most targeted country. Based on registration data of command and control (C&C) servers and “numerous artifacts left in executables of the malware,” Kaspersky Lab researchers believe the attackers have Russian-speaking origins – though the attackers used public exploit code that originally came from a previously known targeted attack campaign with Chinese origins.

“This campaign personifies the steal everything mantra,” Roel Schouwenberg, senior researcher, Kaspersky Lab, told SecurityWeek. “Next to the more standard things it’s after files encrypted by classified software used by the European Parliament and NATO. It’s also able to siphon the data off of smart phones, Cisco routers and SIP phones. On the operations side the C&C infrastructure is huge, spanning sixty domains and numerous servers.”

The campaign – also called ‘Rocra‘, which is short for Red October – is currently still active with data being sent to multiple C&C servers through a configuration Kaspersky Lab researchers said rivals the infrastructure of the Flame malware in complexity. So far, researchers said, no evidence has turned up indicating any connection between Red October and the Flame, Duqu or Gauss attacks. 

Operation Red October

The attackers behind the campaign used custom-made malware framework with a modular architecture comprised of malicious extensions, information-stealing modules and backdoor Trojans. The main purpose of the attack is to steal information, including files from different cryptographic systems such as «Acid Cryptofiler», which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011, according to Kaspersky Lab.

The stolen information also included user credentials, which were compiled in a list and used when the attackers needed to guess passwords or phrases to access additional systems. To control the compromised machines, the attackers created more than 60 domain names and several server hosting locations in different countries, mostly in Germany and Russia. Several servers were working as proxies in order to mask the location of the “mothership control server,” according to Kaspersky Lab.

“The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications,” Kaspersky Lab noted in a report. “Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers. Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.”

The attackers exploited at least three different vulnerabilities: CVE-2009-3129 (Microsoft Excel), CVE-2010-3333 (Microsoft Word) and CVE-2012-0158 (Microsoft Word). The first attacks using the exploit CVE-2009-3129 started in 2010, while attacks targeting the Microsoft Word vulnerabilities appeared in the summer of 2012.

Advertisement. Scroll to continue reading.

“Another day dawns and brings us another disclosure of a major campaign against multiple targets across the globe,” said Anup Ghosh, CEO of Invincea. “If there is anyone left in the security industry that doesn’t believe we have a major problem on our hands, I would be mortified. For the past few years the drumbeat has been growing louder and louder – and frankly, nothing seems shocking any longer in the face of all we have seen. But we should be shocked with every new disclosure because what it shows us is that we aren’t doing what is necessary to fight back against our adversaries and our nations and corporations face existential threats as a result.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...