'Red October' spies on diplomats, governments worldwide

'Red October' spies on diplomats, governments worldwide

Summary: It might have taken five years to discover, but a government-snooping spying campaign dubbed Red October has been exposed by Kaspersky Labs.

TOPICS: Security
operation red october cyber attack government diplomat

Kaspersky Labs has discovered yet another worldwide spying campaign that targets governmental bodies, political groups and research institutions.

On par with the memorable Flame malware, Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware -- known as Rocra or Red October -- which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.

Kaspersky says that Red October has been gathering data and intelligence from "mobile devices, computer systems and network equipment" and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.

The malware is sent via a spear-phishing email which, according to the firm, targets carefully-selected victims with an organisation. Containing at least three different exploits in Microsoft Excel and Word, the infected files, once downloaded, drops a trojan on to the machine which then scans the local network to detect if any other devices are vulnerable to the same security flaw.

By dropping modules that can complete a number of "tasks," usually as .dll libraries, an infected machine obeys commands sent by the command center and then immediately discards the evidence. Separated in to "persistent" and "one-time" tasks, the malware is able to spy and steal in a number of ways, including:

  • Waiting for a Microsoft Office or PDF document and executing a malicious payload embedded in that document;
  • Creating one-way covert channels of communication,
  • Recording keystrokes, making screenshots,
  • Retrieve e-mail messages and attachments;
  • Collect general software and hardware environment information,
  • Extracting browsing history from Chrome, Firefox, Internet Explorer, Opera, and saving passwords,
  • Extracting Windows account hashes;
  • Extract Outlook account information,
  • Performing network scans, dump configuration data from Cisco devices if available.

Some .exe tasks remain on the system while waiting for the correct environment, for example, waiting for a phone to connect. Microsoft's Windows Phone, the iPhone and Nokia models are all said to be vulnerable.

Designed to steal encrypted files and even those that have been deleted from a victim's computer, the malware -- named as a hat-tip to the novel "The Hunt For The Red October" -- has several key features which suggests it may be state-sponsored, although there is no official word on this yet.

Among the features, there is a "resurrection module" within the malware which keeps the infection hidden, disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after removal.

In addition, Red October does not simply focus on standard machines, but is also able to infect and steal data from mobile devices, hijacking information from external storage drives, accessing FTP servers and thieving information from email databases.

In order to control the network of infection, Kaspersky says that over 60 domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.

Kaspersky believes that the cyberattackers have been active for a minimum of five years, based on domain name registration dates and PE timestamps, and the firm "strongly believes" that the origins of the malware are Russian.

This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes:

"The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues -- creating an espionage network full of intelligence that hackers can refer to in need. After at least five years of activity, the Russian security firm believes that at least 5 terabytes of confidential information could have been stolen.

"During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used. It is possible that the information was sold on the black market, or used directly," Kaspersky said.

The majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and Italy have all reported cases. The exploits appear to have Chinese origins, whereas the malware modules may have a Russian background.

Red October was first brought to Kaspersky's attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I was wondering why China was gray in the detail

    so I kinda' figured it was a giveaway as to who's likely behind it.
    William Farrel
    • Keep Wondering


      Wonder too why Britain is grey! And notice that "Cape to Cairo" is all in empire red too.
      • Oops..

        Scratch out the "cape to cairo" bit. :)
  • Kaspersky?

    I hardly trust Kaspersky! Also, I am wondering why it is only them that finds this kind of terrible spyware?

    It is imperative to keep in mind that the owner of Kaspersky does not believe in freedom of speech and want governments to control what we post on the web and read. So do we really need to trust their reports? I am sure that they would be coming after my machine, once I post this. Putin guys are interesting lot.
  • Red October?

    Almost funny article, but no mention of who is behind it?
    Obviously Canada has no security worth stealing :)

    Is it a political expliot linked to one governmenet,
    or is it a privare "hacker" kind of exploit?
  • Who Did It??

    Looking at the map and using logic(very unreliable), I would like to point out a few ideas of mine.:
    1. It does not look like China, because their major conflicts and interests in Asia would definitely include the Phillipines and South Korea. The fact that they are gray is because they do not report on the infections that they have suffered.
    2. Look carefully at which country has the highest variety of intrusions... Belarus. Well, this would indicate either one of its neighbors if it is state sponsored, or itself if it is a hacking community. There is really litte to gain in normal circumstances.
    3. Notice that the country that most would consider to be the most targetted (USA) only has diplomatic intrusions. I would find to to be quite unnatural, unless it is the US of A who is checking on some of the foreign embassies operating out of US. They would love to get hold of what the Russian Embassy is sending out.

    I hope this helps us curious ones see things a bit differently.

    Of course, the author now, having this logic leaked out, will need to try to write articles differently if she wants other articles to try to blame (or frame) the wrong country.
    • Many players

      In the case of any former Soviet satellite country, I would bet on the Russian cybermilitia, under direction of Russian political actors.
  • I have to wonder

    It should be trivial for Microsoft, in theory, to be able to detect these types of code shenanigans involving their products, yet they never do -- it's *always* a 3rd party.
  • Cyberwar

    The questions from other contributers such as why is it only 3rd parties find these bugs, is answered quite simply. Sub contractors who work directly, must be the answer. Why are there grey areas? Its clear we dont and wont have the full picture of whats going on at any time.
    John Edwards0955
  • Hard truth

    Hard truth, keep in mind that hte longest finger doesn't always point in the rt direction.
    Kimberly Howard