Cyber security researchers have turned up evidence of a sophisticated cyber-espionage campaign that has been targeting political and business groups throughout the world for more than five years.
The campaign, dubbed ‘Red October‘ by security researchers, is believed to have been started by a Russian-speaking group that targeted institutions throughout the world using malware that not only targeted workstations, but also mobile devices such as Windows Mobile and the Apple iPhone.
The investigation into the campaign was run by researchers from Kaspersky Lab and several Computer Emergency Response Teams (CERTs) in the U.S., Belarus and Romania. The largest number of infections was found in the Russian Federation, with Kazakhstan being the second most targeted country. Based on registration data of command and control (C&C) servers and “numerous artifacts left in executables of the malware,” Kaspersky Lab researchers believe the attackers have Russian-speaking origins – though the attackers used public exploit code that originally came from a previously known targeted attack campaign with Chinese origins.
“This campaign personifies the steal everything mantra,” Roel Schouwenberg, senior researcher, Kaspersky Lab, told SecurityWeek. “Next to the more standard things it’s after files encrypted by classified software used by the European Parliament and NATO. It’s also able to siphon the data off of smart phones, Cisco routers and SIP phones. On the operations side the C&C infrastructure is huge, spanning sixty domains and numerous servers.”
The campaign – also called ‘Rocra‘, which is short for Red October – is currently still active with data being sent to multiple C&C servers through a configuration Kaspersky Lab researchers said rivals the infrastructure of the Flame malware in complexity. So far, researchers said, no evidence has turned up indicating any connection between Red October and the Flame, Duqu or Gauss attacks.
The attackers behind the campaign used custom-made malware framework with a modular architecture comprised of malicious extensions, information-stealing modules and backdoor Trojans. The main purpose of the attack is to steal information, including files from different cryptographic systems such as «Acid Cryptofiler», which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011, according to Kaspersky Lab.
The stolen information also included user credentials, which were compiled in a list and used when the attackers needed to guess passwords or phrases to access additional systems. To control the compromised machines, the attackers created more than 60 domain names and several server hosting locations in different countries, mostly in Germany and Russia. Several servers were working as proxies in order to mask the location of the “mothership control server,” according to Kaspersky Lab.
“The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications,” Kaspersky Lab noted in a report. “Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers. Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.”
The attackers exploited at least three different vulnerabilities: CVE-2009-3129 (Microsoft Excel), CVE-2010-3333 (Microsoft Word) and CVE-2012-0158 (Microsoft Word). The first attacks using the exploit CVE-2009-3129 started in 2010, while attacks targeting the Microsoft Word vulnerabilities appeared in the summer of 2012.
“Another day dawns and brings us another disclosure of a major campaign against multiple targets across the globe,” said Anup Ghosh, CEO of Invincea. “If there is anyone left in the security industry that doesn’t believe we have a major problem on our hands, I would be mortified. For the past few years the drumbeat has been growing louder and louder – and frankly, nothing seems shocking any longer in the face of all we have seen. But we should be shocked with every new disclosure because what it shows us is that we aren’t doing what is necessary to fight back against our adversaries and our nations and corporations face existential threats as a result.”