Security Experts:

Connect with us

Hi, what are you looking for?



‘Red October’ Cyber Espionage Campaign Rivals Flame in Complexity

Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.

Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.

Red October AttacksThe campaign, dubbed ‘Red October‘ by security researchers, is  believed to have been started by a Russian-speaking group that targeted institutions throughout the world using malware that not only targeted workstations, but also mobile devices such as Windows Mobile and the Apple iPhone.

The investigation into the campaign was run by researchers from Kaspersky Lab and several Computer Emergency Response Teams (CERTs) in the U.S., Belarus and Romania. The largest number of infections was found in the Russian Federation, with Kazakhstan being the second most targeted country. Based on registration data of command and control (C&C) servers and “numerous artifacts left in executables of the malware,” Kaspersky Lab researchers believe the attackers have Russian-speaking origins – though the attackers used public exploit code that originally came from a previously known targeted attack campaign with Chinese origins.

“This campaign personifies the steal everything mantra,” Roel Schouwenberg, senior researcher, Kaspersky Lab, told SecurityWeek. “Next to the more standard things it’s after files encrypted by classified software used by the European Parliament and NATO. It’s also able to siphon the data off of smart phones, Cisco routers and SIP phones. On the operations side the C&C infrastructure is huge, spanning sixty domains and numerous servers.”

The campaign – also called ‘Rocra‘, which is short for Red October – is currently still active with data being sent to multiple C&C servers through a configuration Kaspersky Lab researchers said rivals the infrastructure of the Flame malware in complexity. So far, researchers said, no evidence has turned up indicating any connection between Red October and the Flame, Duqu or Gauss attacks. 

Operation Red October

The attackers behind the campaign used custom-made malware framework with a modular architecture comprised of malicious extensions, information-stealing modules and backdoor Trojans. The main purpose of the attack is to steal information, including files from different cryptographic systems such as «Acid Cryptofiler», which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011, according to Kaspersky Lab.

The stolen information also included user credentials, which were compiled in a list and used when the attackers needed to guess passwords or phrases to access additional systems. To control the compromised machines, the attackers created more than 60 domain names and several server hosting locations in different countries, mostly in Germany and Russia. Several servers were working as proxies in order to mask the location of the “mothership control server,” according to Kaspersky Lab.

“The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications,” Kaspersky Lab noted in a report. “Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers. Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.”

The attackers exploited at least three different vulnerabilities: CVE-2009-3129 (Microsoft Excel), CVE-2010-3333 (Microsoft Word) and CVE-2012-0158 (Microsoft Word). The first attacks using the exploit CVE-2009-3129 started in 2010, while attacks targeting the Microsoft Word vulnerabilities appeared in the summer of 2012.

“Another day dawns and brings us another disclosure of a major campaign against multiple targets across the globe,” said Anup Ghosh, CEO of Invincea. “If there is anyone left in the security industry that doesn’t believe we have a major problem on our hands, I would be mortified. For the past few years the drumbeat has been growing louder and louder – and frankly, nothing seems shocking any longer in the face of all we have seen. But we should be shocked with every new disclosure because what it shows us is that we aren’t doing what is necessary to fight back against our adversaries and our nations and corporations face existential threats as a result.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.