Darlene Storm

Red October 5-year cyber espionage attack: Malware resurrects itself

January 14, 2013 1:55 PM EST

Red October may bring a fictitious submarine to mind, but the latest Hunt for Red October is not a Tom Clancy action/adventure thriller film or book; instead, this Red October is a high-level cyber-espionage campaign, designed to steal—including encrypted files and from mobile phones—and has successfully gained access to government embassies and research agencies. Kaspersky Lab reported, "During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment."

The attacks targeted “specific organizations” in Eastern Europe such as the Russian Federation, but there have been victims from 69 countries including the six infected machines in the United States.

aspersky advanced cyber espionage attack, Operation Red October map

This highly targeted attack has infected hundreds of computers since 2007 and is still active. Kaspersky said it has been analyzing the malware for months, and so far knows that victims fall into the following eight categories: Government, Diplomatic / embassies, Research institutions, Trade and commerce, Nuclear / energy research, Oil and gas companies, Aerospace and Military.

Kaspersky does not believe Operation Red October, also dubbed “Rocra,” is related to Flame, Guass or DuQu. Unlike Stuxnet, the attacks are not believed to have caused physical damage to critical infrastructure. Rocra is about cyber espionage and stealing information. However the researchers wrote, “Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated. During our investigation we've uncovered over 1000 unique files, belonging to about 30 different module categories.” They were “created between 2007 with the most recent being compiled on 8th Jan 2013.” There are many notable facts, including that “the attackers used exploit code that was made public and originally came from a previously known targeted attack campaign with Chinese origins.”

Part one of Kaspersky’s report released today states:

Information harvested from infected networks was reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess secret phrase in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C [Command & Control] infrastructure is actually a chain of servers working as proxies and hiding the location of the ‘mothership’ control server.

Kurt Baumgartner, a senior security researcher at Kaspersky Lab, described the Red October campaign to the New York Times as:

a “sophisticated and very patient multiyear effort” to extract geopolitical and confidential intelligence from computers, network devices like routers and switches, and smartphones. The malware was designed to extract files, e-mails and passwords from PCs, record keystrokes and take screenshots, and steal a user’s Web browsing history on Chrome, Firefox, Internet Explorer and Opera browsers. It could also pilfer contacts, call histories, calendars, text messages and browsing histories from smartphones, including iPhones, Windows, Nokia, Sony, and HTC phones. And it collected information about installed software, including Oracle’s database software, remote administration software and instant messaging software, like that made by Mail.Ru, a Russian e-mail and instant messaging service.

According to the press release about Infecting Victims:

To infect systems, the attackers sent a targeted spear-phishing email to a victim that included a customized Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced with their own code.  Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.

Red October’s Resurrection module

Red October’s Resurrection module allows it to “hide on a machine as if deleted,” University of Surrey Professor Alan Woodward told BBC, "If it's discovered, it hides. When everyone thinks the coast is clear, you just send an email and 'boof' it's back and active again."

Rocra malware: unique architecture and functionality (from the press release)

The attackers created a multi-functional attack platform that includes several extensions and malicious files designed to quickly adjust to different systems' configurations and harvest intelligence from infected machines. The platform is unique to Rocra and has not been identified by Kaspersky Lab in previous cyber-espionage campaigns. Notable characteristics include:

  • "Resurrection" module: A unique module that enables the attackers to "resurrect" infected machines. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides the attackers a foolproof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched. Once the C2s are operational again the attackers send a specialized document file (PDF or Office document) to victims' machines via e-mail which will activate the malware again.
  • Advanced cryptographic spy-modules: The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as Acid Cryptofiler, which is known to be used in organizations of NATO, the European Union, European Parliament and European Commission since the summer of 2011 to protect sensitive information.
  • Mobile Devices: In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia and Windows Mobile). The malware is also capable of stealing configuration information from enterprise network equipment such as routers and switches, as well as deleted files from removable disk drives.

 

From November 2, 2012 to January 10th, 2013, Kaspersky's sinkhole analysis indicated there were over 55,000 connection targets from 250 different IP addresses. Kaspersky plans to publish part two of its report, 100 pages of “detailed technical analysis” later this week.