Pierluigi Paganini January 15, 2013

Last October Kaspersky Lab’s Global Research & Analysis Team started a new investigation after several attacks hit computer networks of various international diplomatic service agencies.

The attacks appeared very suspect, a new large scale cyber-espionage operation has been discovered, the operation is dubbed «Red October», a name inspired by famous novel «The Hunt For The Red October» (ROCRA).

The operation was conducted to acquire sensitive information from diplomatic, governmental and scientific research organizations in many countries, mostly of them of Eastern Europe, former USSR members and countries in Central Asia. The campaign hit hundreds of machines belonging to following categories:

• Government
• Diplomatic / embassies
• Research institutions
• Trade and commerce
• Nuclear / energy research
• Oil and gas companies
• Aerospace
• Military

Compared to Aurora and Night Dragon, Rocra is more complex because uses more sophisticated malware able to evade detection during last 5 years while continuing to stealing hundreds of Terabytes by now.

Differently from other cyber espionage campaigns discovered in the past, Red October has targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.

What is upsetting is that evidence collected demonstrate that cyber-espionage campaign was started  since 2007 and is still active. During the last 5 years a huge quantity of data has been collected, the obtained information, such as service credentials, has been reused in later attacks.

The Kaspersky Lab blog post states

“The campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware. Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.”

The control structure discovered is very complex and extended, more than 60 domain names and several servers hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.

C&C architecture

Security experts were able to sinkhole around 10% of the domains, during the period 2 Nov 2012 – 10 Jan 2013 were registered over 55,000 connections to the sinkhole from 250 different victim’s IPs from 39 different countries,with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Red October Geo-distribution of victims

Which are the vulnerabilities exploited in the attacks?

The security expert discovered that at least three different known vulnerabilities have been exploited

• CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
• CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
• CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

Evidences collected during the investigation, let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now.

These attacks are structured in two distinct phases according a classic schema of targeted attacks:

1. Initial infection
2. Additional modules deployed for intelligence gathering

In the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers,  after the malware receives from the C&C server a number of additional spy modules.e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers,  after the malware receives from the C&C server a number of additional spy modules.

The way to infect the entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines.

“The main malware body acts as a point of entry into the system which can later download modules used for lateral movement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit.”

The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers.

Once again the group of Kaspersky has identified a campaign of cyber espionage, excellent analytical work to tight deadlines.
What alarms me is that such campaigns could be going on for years with disastrous consequences … what to do at this point? … what to do at this point? What to do at this point?

How is it possible that an operation so extended escape for so long to worldwide security community?

Who is behind the attacks? Cyber criminals or state-sponsored hackers?

Will we be forced to ban the use of our computers in critical sector such as diplomatic?

Pierluigi Paganini

UPDATE  2013/01/15

Jeffrey Carr, founder and CEO of Taia Global, Inc, posted on his blog

Pierluigi Paganini

(SecurityAffairs – Red October, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]