Throwback Attack: Red October is the Swiss Army Knife of malware

Courtesy: CFE Media
Courtesy: CFE Media

When most people hear the term “Red October,” they think of international intrigue and geopolitical tensions — or perhaps a flinty, young Alec Baldwin and some questionable accent acting by Sean Connery — thanks to the 1990 movie based on Tom Clancy’s “Hunt for Red October.” But when cybersecurity experts hear of Red October, they’re likely not thinking of a fictitious submarine; instead, they’re thinking of a high-level cyber espionage campaign that began stealing confidential documents in 2007. This new malware targeted government institutions such as embassies, research facilities, nuclear groups, aerospace, and oil and gas companies.

This was a massive, prolonged attack that wasn’t uncovered until Kaspersky Labs’ researchers shined a light on it in early 2013. The attacks targeted many organizations in Eastern Europe, but reached 69 different countries, including the United States. While strikes on critical infrastructure and government entities are nothing new, this one proliferated for years and helped show just how vulnerable critical institutions and intelligence can be to motivated threat actors.

Hunt for Red October

The Red October malware was an advanced cyber espionage campaign that targeted a carefully selected group of high-profile diplomatic and government institutions worldwide. Kaspersky called it a unique, highly flexible malware designed to steal data and geopolitical intelligence from victims’ computer systems, mobile phones and enterprise network equipment. It gave attackers the ability to steal encrypted files and could even recover files that had already been deleted.

According to a statement on the attacks, Kaspersky Labs said: “The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.”

Kaspersky initiated its investigation in October 2012 following a series of attacks against computer networks targeting international diplomatic service agencies. Their efforts ultimately uncovered a large-scale, sustained cyber espionage network using a novel and original form of malware.

The threat actors responsible for Red October designed their own malware, identified by Kaspersky as Rocra, with “its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.”

“To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the ‘mothership’ control server,” read the Kaspersky statement.

A new form of malware

Though Rocra bears some similarities to Flame, Kaspersky stated that they do not believe it has ties to Flame, Duqu or any other malware. Some later articles linked Red October and Turla. Unlike Stuxnet, Operation Red October did not cause physical damage to critical infrastructure or target industrial functions. It was about stealing intelligence from countries around the globe.

As advanced as Red October seemed to be, however, the cyber adversaries used a standard tool to infiltrate systems — spear-phishing. The attackers sent a targeted email to victims that included a customized Trojan dropper. This tactic remains very popular with threat actors. Why spend years searching for a hole in a company’s firewall, when you can just send an email and let the victims do the work for you? According to a study by the Swiss Cyber Institute, roughly 65% of cyber attackers have leveraged spear-phishing emails as a primary attack vector.

“In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel,” Kaspersky said. “The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced it with their own code.”

Kaspersky also noted that there were some clues that pointed to a Russian attacker — the code used Russian-influenced English and one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts — but these could have been efforts to throw investigators off the real scent.

“We’ve seen use of the word ‘proga’ — a slang word common among Russians, which means program or application,” said Kaspersky chief malware researcher Vitaly Kamluk in a BBC article. “It’s not used in any other language as far as we know.”

Red October design

The Operation Red October hackers designed an intelligent malware that included several extensions and malicious files that could quickly adjust to different systems’ configurations. Kaspersky noted three major characteristics of this new malware:

  1. A “resurrection” module: This allowed Rocra to “resurrect” infected machines and hide once it was discovered. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides attackers a way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched.
  2. Advanced cryptographic spy modules: Rocra had the ability to steal files from different cryptographic systems, such as Acid Cryptofiler, known to be used at the time by the North Atlantic Treaty Organization (NATO), the European Union, European Parliament and the European Commission.
  3. Access to mobile devices: Rocra was capable of stealing data from mobile devices and configuration information from enterprise network equipment, such as routers and switches. It could even recover deleted files from removable disk drives.

Investigators reported there were 55,000 connections spanning 250 different internet protocol (IP) addresses between Nov. 2, 2012, and Jan. 10, 2013. This was a sophisticated and patient multiyear effort impacting critical industries around the world.

Swiss Army malware

A unique feature of the Rocra malware was that it could do a little bit of everything. It could extract files, emails and passwords; record keystrokes; steal web browsing histories; retrieve calendars, call histories and text messages from smartphones; collect information about installed software; and more.

The extent of Red October and its ability to tailor itself to the unique configurations of infected machines — it had more than 1,000 modules at its disposal — made it one of the most advanced cyber espionage campaigns in history. Its targeting of critical infrastructure like nuclear, energy, oil and gas, aerospace and military made it a threat to governments around the world and a cautionary tale that helped organizations understand the breadth of the threat that’s out there.

Backing up Operation Red October were more than 60 command and control (C&C) domains, but that infrastructure started coming apart shortly after Kaspersky revealed the attacks. Soon after the first report came out, hosting providers and domain owners started shutting down servers used to help run the campaign.

“It’s clear that the infrastructure is being shut down. This time it’s being shut down for good,” said Costin Raiu of Kaspersky in a Threat Post article. “Not only the registrars killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation.”

But a highly technical and coordinated attack like Operation Red October doesn’t just disappear. In 2014, Kaspersky noticed that the Cloud Atlas malware used a similar spear-phishing file, went after many of the same victims and even targeted some of the same machines. After examining their tactics, tools and targets, researchers speculated that the same group may have been behind both campaigns.

To help deter attacks like Red October, it’s important to run frequent updates on Microsoft Office, Windows OS, PDF software and Java. Organizations should also be very aware of the kinds of emails that are opened and the attachments that are downloaded, especially if they are from an unknown source.

For additional technical details, a more comprehensive version of the Kaspersky report can be found at SecureList.

YOU MAY ALSO LIKE

GET ON THE BEAT

 

Keep your finger on the pulse of top industry news

RECENT NEWS
HACKS & ATTACKS
RESOURCES