Security Experts:

Connect with us

Hi, what are you looking for?



Kaspersky Lab Dives Deeper Into Red October Cyber-espionage Campaign

The phrase ‘Hunt for Red October‘ no longer refers only to the work of author Tom Clancy, or the film based on his novel.

The phrase ‘Hunt for Red October‘ no longer refers only to the work of author Tom Clancy, or the film based on his novel.

Today, it also refers to a sophisticated cyber-espionage operation that stretches back to 2007. On the perpetrators’ tails have been a team of researchers from Kaspersky Lab and Computer Emergency Response Teams (CERTs) around the world. Now, in a detailed analysis, Kaspersky Lab has posted more information about the inner workings of an attack its researchers say rivals Flame in complexity.

Red October Attacks Malware“According to our knowledge, never before in the history of ITSec has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration,” Kaspersky Lab blogged. “In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.”

“To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.”

At the center of the attack is the malware, detected by Kaspersky Lab as Backdoor.Win32.Sputnik. With Sputnik, the attackers infected hundreds of systems around the world, primarily on government networks in Eastern Europe. According to Kaspersky, the main component of Sputnik implements a framework for executing tasks, some of which are executed in memory and then immediately discarded. Others, such as waiting for an iPhone or Nokia phone to be connected, are persistent.

Among the modules unmasked in the analysis is a module embedded as a plugin inside Adobe Reader and Microsoft Office that allows the attackers to “resurrect” infected machines if the main malware body is discovered and removed or the system is patched. This feature can be triggered when the attackers send a malicious document file to the victim’s machine via email to reactivate the malware.

Other modules are meant to steal information, including files from different cryptographic systems such as Acid Cryptofiler, which is known to be used in organizations of NATO, the European Union and other government entities.

To get the malware onto targeted computers, the attackers used a mix of Microsoft Word and Excel exploits and targeted a known Java vulnerability as well.

“The research that we are publishing today is perhaps the biggest malware research paper ever,” according to Kaspersky Lab. “It is certainly the most complex malware research effort in the history of our company and we hope that it sets new standards for what anti-virus and anti-malware research means today.”

The company’s complete analysis can be read online here. 

Written By

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...