The “Red October” Cyber attacks

The “Red October” Cyber attacks

This post is also available in: heעברית (Hebrew)

Picture1 (NXP) Kaspersky Lab is following an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years. The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.         

In October 2012 Kaspersky Lab’s team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation.

According to Kaspersky Lab’s analysis report, Operation Red October, called “Rocra” for short, is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.

The attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The Red October attackers designed their own malware, identified as “Rocra,” that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.

The attackers often used information from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.

To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the ‘mothership’ control server.

Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the “acid*” extensions appears to refer to the classified software “Acid Cryptofiler”, which is used by several entities, from the European Union to NATO.