Kaspersky Lab Dives Deeper Into Red October Cyber-espionage Campaign

The phrase ‘Hunt for Red October‘ no longer refers only to the work of author Tom Clancy, or the film based on his novel.

Today, it also refers to a sophisticated cyber-espionage operation that stretches back to 2007. On the perpetrators’ tails have been a team of researchers from Kaspersky Lab and Computer Emergency Response Teams (CERTs) around the world. Now, in a detailed analysis, Kaspersky Lab has posted more information about the inner workings of an attack its researchers say rivals Flame in complexity.

“According to our knowledge, never before in the history of ITSec has [a] cyber-espionage operation been analyzed in such deep detail, with a focus on the modules used for attack and data exfiltration,” Kaspersky Lab blogged. “In most cases, the analysis is compromised by the lack of access to the victim’s data; the researchers see only some of the modules and do not understand the full purpose of the attack or what was stolen.”

“To get around these hiccups, we set up several fake victims around the world and monitored how the attackers handled them over the course of several months. This allowed us to collect hundreds of attack modules and tools. In addition to these, we identified many other modules used in other attacks, which allowed us to gain a unique insight into the attack.”

At the center of the attack is the malware, detected by Kaspersky Lab as Backdoor.Win32.Sputnik. With Sputnik, the attackers infected hundreds of systems around the world, primarily on government networks in Eastern Europe. According to Kaspersky, the main component of Sputnik implements a framework for executing tasks, some of which are executed in memory and then immediately discarded. Others, such as waiting for an iPhone or Nokia phone to be connected, are persistent.

Among the modules unmasked in the analysis is a module embedded as a plugin inside Adobe Reader and Microsoft Office that allows the attackers to “resurrect” infected machines if the main malware body is discovered and removed or the system is patched. This feature can be triggered when the attackers send a malicious document file to the victim’s machine via email to reactivate the malware.

Other modules are meant to steal information, including files from different cryptographic systems such as Acid Cryptofiler, which is known to be used in organizations of NATO, the European Union and other government entities.

To get the malware onto targeted computers, the attackers used a mix of Microsoft Word and Excel exploits and targeted a known Java vulnerability as well.

“The research that we are publishing today is perhaps the biggest malware research paper ever,” according to Kaspersky Lab. “It is certainly the most complex malware research effort in the history of our company and we hope that it sets new standards for what anti-virus and anti-malware research means today.”

The company’s complete analysis can be read online here.