Red October hackers also used Java exploit for spy campaign

Hackers targeting diplomats and government officials had another attack vector up their sleeves.
Written by Liam Tung, Contributing Writer

Hackers behind the long-running espionage campaign dubbed Red October were also using an old Java exploit to capture targets from government agencies and embassies.

Earlier this week Russian security firm Kaspersky Lab announced the discovery of a targeted malware campaign aimed at high-profile diplomatic, military and government targets across 39 nations. The victims were primarily in Eastern Europe, however individuals in Western Europe and North America were also targeted.

The attackers had evaded detection for over five years, according to Kaspersky, giving them access to victims' passwords, network configurations and sensitive information on workstations and mobile devices.

While the researchers identified dozens of information-stealing capabilities, Red October's primary attack methods relied on exploits for flaws in Word and Excel documents, most likely sent to targets as email attachments. However, there was no evidence the attackers had used today's most popular attack vector: the web.

Israeli security start-up Securlert revealed on Tuesday it had discovered the Red October hackers were indeed using the web, exploiting an old Java (CVE-2011-3544) flaw that Oracle patched in October 2011.

The attacks using this exploit occurred around February 2012, however an apparent slip-up the Red October hackers made while redesigning their command and control servers (sometime between then and today) meant that the web page containing the exploit now published the source code rather than delivering the exploit.

"This allowed us to take a sneak peak to the 'behind the scenes' of their operation," Seculert said.

In similar fashion to the malware identified by Kaspersky researchers, the malware was keeping a log of "unique identifiers" for individual victims.

Notably, none of the exploits the Red October hackers had used on for the long-running campaign were zero days or unpatched flaws.

One of the Word exploits had even been borrowed from an earlier spear-phishing campaign aimed at Tibetan activists, according to Kaspersky. The only aspect the Red October hackers changed was the executable that was embedded in the document, it said.

Kaspersky researchers identified two exploits for Microsoft Word flaws (CVE-2010-3333 and CVE-2012-0158) flaws and one exploit for an Excel vulnerability (CVE-2009-3129), all patched prior to attacks between May 2010 and December 2012.

Editorial standards