• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Hacking
  • Intelligence
  • Malware
  • Security
  • Kaspersky Lab discovered the cyber espionage campaign “Red October”

Kaspersky Lab discovered the cyber espionage campaign “Red October”

Pierluigi Paganini January 15, 2013

Last October Kaspersky Lab’s Global Research & Analysis Team started a new investigation after several attacks hit computer networks of various international diplomatic service agencies.

The attacks appeared very suspect, a new large scale cyber-espionage operation has been discovered, the operation is dubbed «Red October», a name inspired by famous novel «The Hunt For The Red October» (ROCRA).

The operation was conducted to acquire sensitive information from diplomatic, governmental and scientific research organizations in many countries, mostly of them of Eastern Europe, former USSR members and countries in Central Asia. The campaign hit hundreds of machines belonging to following categories:

  • Government
  • Diplomatic / embassies
  • Research institutions
  • Trade and commerce
  • Nuclear / energy research
  • Oil and gas companies
  • Aerospace
  • Military

Red October

Compared to Aurora and Night Dragon, Rocra is more complex because uses more sophisticated malware able to evade detection during last 5 years while continuing to stealing hundreds of Terabytes by now.

 

Red October

 

Differently from other cyber espionage campaigns discovered in the past, Red October has targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.

What is upsetting is that evidence collected demonstrate that cyber-espionage campaign was started  since 2007 and is still active. During the last 5 years a huge quantity of data has been collected, the obtained information, such as service credentials, has been reused in later attacks.

The Kaspersky Lab blog post states

“The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.”

The control structure discovered is very complex and extended, more than 60 domain names and several servers hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.

C&C architecture

Security experts were able to sinkhole around 10% of the domains, during the period 2 Nov 2012 – 10 Jan 2013 were registered over 55,000 connections to the sinkhole from 250 different victim’s IPs from 39 different countries,with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Red October Geo-distribution of victims

 

Which are the vulnerabilities exploited in the attacks?

The security expert discovered that at least three different known vulnerabilities have been exploited

  • CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
  • CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
  • CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

Evidences collected during the investigation, let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now.

These attacks are structured in two distinct phases according a classic schema of targeted attacks:

  1. Initial infection
  2. Additional modules deployed for intelligence gathering

In the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers,  after the malware receives from the C&C server a number of additional spy modules.e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers,  after the malware receives from the C&C server a number of additional spy modules.

The way to infect the entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines.

“The main malware body acts as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.”

The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers.

Once again the group of Kaspersky has identified a campaign of cyber espionage, excellent analytical work to tight deadlines.
What alarms me is that such campaigns could be going on for years with disastrous consequences … what to do at this point? … what to do at this point? What to do at this point?

How is it possible that an operation so extended escape for so long to worldwide security community?

Who is behind the attacks? Cyber criminals or state-sponsored hackers?

Will we be forced to ban the use of our computers in critical sector such as diplomatic?

Pierluigi Paganini

UPDATE  2013/01/15

Jeffrey Carr, founder and CEO of Taia Global, Inc, posted on his blog

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a ‘t’. I ran 13 IPs listed in Kaspersky’s report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers

  • 178.63.208.49  matches to 178.63.

  • 188.40.19.247 matches to 188.40.

  • 78.46.173.15 matches to 78.46.

  • 88.198.30.44 matches to 88.198.

Mini-motherships

  • 91.226.31.40 matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it’s going to be one of the most important discoveries of the decade.

 
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Red October, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

cyber espionage Kaspersky malware Red October ROCRA

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT