The Hunt for Red October

Not even Tom Clancy could dream up this one. Security firm Kaspersky Labs yesterday revealed that it has discovered “Operation Red October, what it calls an “advanced cyber-espionage campaign targeting diplomatic, governmental and scientific research organisations in several countries for at least five years. Attackers created unique, flexible malware to steal data and geopolitical intelligence from target victims’ computer systems, mobile phones and enterprise network equipment.

The primary focus of the cyber-espionage campaign, according to Kaspersky Lab’s report, targets countries in Eastern Europe, former USSR Republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.

Kaspersky Lab started its investigation in October last year following a series of attacks against computer networks targeting international diplomatic service agencies. It soon discovered that the attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets.

The Red October attackers designed their own malware, identified as ‘Rocra’, that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.

To infect systems, the attackers sent a targeted spear-phishing email to a victim that included a customised Trojan “dropper”. This used “software exploits” developed and used in previous cyber attacks to install its malware. The attackers then created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia, to control the infected machines. This chain of servers was actually working as proxies in order to hide the location of the main control server – which is likely to be in Russia:

“Based on the registration data of the command and control servers and the numerous artefacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins.”

Spy software modules were able to steal information from the infected hosts, including encrypted files such as those created by Acid Cryptofiler, which Kaspersky Lab says is used in NATO, the European Union and European Commission. But it wasn’t just laptops and PCs that were infected. The Red October campaign also targeted smartphones.

Kaspersky Lab employed its own methods to investigate, and discovered “several hundred unique infected systems”, the majority of which were located primarily in Eastern Europe, but other infections were also identified in North America and Europe, particularly Switzerland, Luxembourg and Greece – 39 countries in total.

Kaspersky Lab, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams is continuing its investigation of Rocra. Although this could soon develop into a scandel of Stuxnet proportions, there is no evidence that Rocra is in any way linked to the malware worm that attacked Iran's nuclear facilities in 2009. You can access the full report here.