Kaspersky Lab’s hunt for Red October

Specialists uncover five-year-old espionage ring targeting global diplomatic, government systems

Tags: Cyber crimeKaspersky Lab
  • E-Mail
Kaspersky Lab’s hunt for Red October Attackers created unique, highly flexible malware to steal data and geopolitical intelligence.
By  ITP.net Staff Writer Published  January 15, 2013

Kaspersky Lab yesterday published a new research report in which it claimed to have identified "an elusive cyber-espionage campaign" dubbed Operation Red October, which the cyber security specialist said had been "targeting diplomatic, governmental and scientific research organisations in several countries for at least five years".

According to Kaspersky, the primary focus of the campaign involved targeting countries in Eastern Europe, former USSR republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organisations, which Kaspersky said included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.

In October 2012 Kaspersky Lab's team of specialists initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation. According to Kaspersky Lab's analysis report, Operation Red October, called "Rocra" for short, is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.

Apart from diplomatic, governmental and scientific research organisations Red October's Advanced Cyber-espionage Network has been targeting energy and nuclear groups, and trade and aerospace targets. The Red October attackers designed their own malware, identified as "Rocra," that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.

Kaspersky Lab said the attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems.  For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.

To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab's analysis of Rocra's Command & Control (C2) infrastructure shows that the chain of servers was actually working as an array of proxies in order to hide the location of the ‘mothership' control server.

Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,  cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the "acid*" extensions appears to refer to the classified software "Acid Cryptofiler", which is used by several entities, from the European Union to NATO.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code