Are CloudAtlas and RedOctober campaigns managed by same APT?

Pierluigi Paganini December 11, 2014

Kaspersky Lab suspects that the bad actor who is managing a new campaign dubbed CloudAtlas is the same that run the Operation Red October two years ago.

Red October is the name of a cyber espionage campaign discovered by security experts at Kaspersky Lab in late 2012 and disclosed in January 2013. The threat actors behind the Red October campaign have stolen sensitive information from diplomatic, governmental and scientific research organizations in several countries, the majority of them in Eastern Europe, former USSR members and countries in Central Asia. The campaign targeted computers in the following industries:

  • Government
  • Diplomatic / embassies
  • Research institutions
  • Trade and commerce
  • Nuclear / energy research
  • Oil and gas companies
  • Aerospace
  • Military

Red October similarities with CloudAtlas


After the public disclosure of Kaspersky, the RedOctober APT apparently interrupted its campaign and dismantled the network of C&Cs the attackers used. Experts at Kaspersky explained that as usually happens with large scale cyber operations, threat actors make huge investments so they just suspend the operations for a few months, recompose their arsenal and resume operations. For this reason, the experts have paid special attention to a possible recurrence of the Red October APT.

Nothing happened since August 2014,  when researchers detected e series of targeted attacks exploiting the CVE-2012-0158 and an unusual set of malware, the experts dubbed the campaign CloudAtlas. The researchers discovered some similarities with the Red October campaign, as explained in a blog post published on SecureList.

“At least one of them immediately reminded us of RedOctober, which used a very similarly named  spearphish: “Diplomatic Car for Sale.doc”. As we started digging into the operation, more details emerged which supported this theory.””Perhaps the most unusual fact was that the Microsoft Office exploit didn’t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.” states the post.

The CloudAtlas campaign targeted some of the same entities hit by threat actors behind the Red October, the researchers believe the same both campaign are managed by the same group that show same techniques, tactics, and procedures (TTPs), hit the same countries (Russia, Belarus, Kazakhstan and India) and used similar tools.

Both Red October and CloudAtlas have targeted the same victims, exactly the same machines, there is also a clamorous case related to a machine that was attacked “only twice in the last two years, once by Red October and once by CloudAtlas.”

“Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used – RC4 in RedOctober vs AES in Cloud Atlas,” Kaspersky Lab team said.

“The usage of the compression algorithms in Cloud Atlas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the ‘scheduler’ plugin uses it to decompress executable payloads from the C&C.”

The researchers explained that the command and control infrastructure used for the CloudAtlas campaign is unusual, the hackers, in fact, are using accounts at Swedish cloud provider CloudMe to communicate with compromised machines.

“The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism,” the experts said.

The staff at CloudMe confirmed via company Twitter account that they are working to delete shut down any CloudAtlas C2 accounts.

CloudAtlas campaign Twitter

Security experts at Blue Coat have also looked at the CloudAtlas campaign, but they coded the operation as Inception. Blue Coat focused its analysis on the capabilities of attackers to create tools to compromise a variety of mobile platforms.

“Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals. To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher.” state the company.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  RedOctober, CloudAtlas)

[adrotate banner=”5″]

[adrotate banner=”13″]


you might also like

leave a comment