Kaspersky Lab talks up findings from hunt for Red October

News 15 Jan, 2013

Russian anti-virus vendor hails discovery of a cyber-espionage campaign that dates back to 2007.

Russian anti-virus vendor Kaspersky Lab has uncovered a cyber-espionage campaign it claims has been targeting diplomatic, governmental and scientific research organisations across Europe for at least five years.

The aim of the attacks, which have been dubbed Red October by Kaspersky’s researchers, is reportedly to obtain personal data from mobile devices and network equipment, as well as geopolitical intelligence and access to classified computer systems.

The attackers often used information obtained from infected networks to gain entry into additional systems.

So far the attacks have been targeted at organisations in Europe, former USSR Republics, Central Asia and North America, Kaspersky Lab claims.

The group also claims to have evidence to suggest the attackers may be Russian-speaking.

“In October 2012, Kaspersky Lab’s team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies,” said the company in a statement.

“A large scale cyber-espionage network was revealed and analysed during the investigation...and is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.”

The Red October attackers are said to have used their own “Rocra” malware, which is understood to consist of malicious extensions, information-stealing modules and backdoor Trojans.

In order to infect the computers, the attackers sent a spear phishing email to potential victims containing a Trojan dropper, a mechanism often used by attackers to infiltrate systems with adware and spyware, for example, to deliver the malware.

“To install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel,” said the Kaspersky statement.

Further analysis by Kaspersky’s research team found that Rocra’s command and control infrastructure was made up of a chain of servers working as proxies to hide the location of the main one.

“The attackers often used information [obtained] from infected networks to gain entry into additional systems,” the statement continued.

“To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia.”

The researchers said the Rocra platform has not, to their knowledge, been used in other cyber espionage campaigns, and features a number of interesting capabilities.

These include a resurrection module, embedded as a plug-in inside Adobe Reader and Microsoft Office installations, that lets attackers regain access to machines after malware has been discovered, removed or patched.