Security Experts:

Connect with us

Hi, what are you looking for?



‘Red October’ Cyber Espionage Campaign Rivals Flame in Complexity

Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.

Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.

Red October AttacksThe campaign, dubbed ‘Red October‘ by security researchers, is  believed to have been started by a Russian-speaking group that targeted institutions throughout the world using malware that not only targeted workstations, but also mobile devices such as Windows Mobile and the Apple iPhone.

The investigation into the campaign was run by researchers from Kaspersky Lab and several Computer Emergency Response Teams (CERTs) in the U.S., Belarus and Romania. The largest number of infections was found in the Russian Federation, with Kazakhstan being the second most targeted country. Based on registration data of command and control (C&C) servers and “numerous artifacts left in executables of the malware,” Kaspersky Lab researchers believe the attackers have Russian-speaking origins – though the attackers used public exploit code that originally came from a previously known targeted attack campaign with Chinese origins.

“This campaign personifies the steal everything mantra,” Roel Schouwenberg, senior researcher, Kaspersky Lab, told SecurityWeek. “Next to the more standard things it’s after files encrypted by classified software used by the European Parliament and NATO. It’s also able to siphon the data off of smart phones, Cisco routers and SIP phones. On the operations side the C&C infrastructure is huge, spanning sixty domains and numerous servers.”

The campaign – also called ‘Rocra‘, which is short for Red October – is currently still active with data being sent to multiple C&C servers through a configuration Kaspersky Lab researchers said rivals the infrastructure of the Flame malware in complexity. So far, researchers said, no evidence has turned up indicating any connection between Red October and the Flame, Duqu or Gauss attacks. 

Operation Red October

The attackers behind the campaign used custom-made malware framework with a modular architecture comprised of malicious extensions, information-stealing modules and backdoor Trojans. The main purpose of the attack is to steal information, including files from different cryptographic systems such as «Acid Cryptofiler», which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011, according to Kaspersky Lab.

The stolen information also included user credentials, which were compiled in a list and used when the attackers needed to guess passwords or phrases to access additional systems. To control the compromised machines, the attackers created more than 60 domain names and several server hosting locations in different countries, mostly in Germany and Russia. Several servers were working as proxies in order to mask the location of the “mothership control server,” according to Kaspersky Lab.

“The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications,” Kaspersky Lab noted in a report. “Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers. Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.”

The attackers exploited at least three different vulnerabilities: CVE-2009-3129 (Microsoft Excel), CVE-2010-3333 (Microsoft Word) and CVE-2012-0158 (Microsoft Word). The first attacks using the exploit CVE-2009-3129 started in 2010, while attacks targeting the Microsoft Word vulnerabilities appeared in the summer of 2012.

“Another day dawns and brings us another disclosure of a major campaign against multiple targets across the globe,” said Anup Ghosh, CEO of Invincea. “If there is anyone left in the security industry that doesn’t believe we have a major problem on our hands, I would be mortified. For the past few years the drumbeat has been growing louder and louder – and frankly, nothing seems shocking any longer in the face of all we have seen. But we should be shocked with every new disclosure because what it shows us is that we aren’t doing what is necessary to fight back against our adversaries and our nations and corporations face existential threats as a result.”

Written By

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...