Red October Cyber Espionage Campaign Hits Global Governments

A major cyber espionage campaign, believed to have been carried out by a Russian-speaking organisation, has hit governments across the world.

For at least five years, a team of hackers has been carrying out a major cyber espionage project on embassies and other government bodies, Kaspersky Lab revealed today.

The Red October initiative, named by Kaspersky, remains active today and focused on siphoning data out of agencies, with Russia  seemingly the main target.

The attackers were able to steal information from a range of devices, including PCs, iPhones and other smartphones, enterprise network gear, such as Cisco’s, and removable hard drives.

Russian cyber espionage

As for the Russian connection, Kaspersky had various pieces of evidence all but proving the link.

“[Based] on registration data of C&C servers and numerous artefacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins,” Kaspersky Lab said, in a blog post.

When looking at what was dropped after initial infection, Kaspersky found a command to switch the codepage, or character encoding, of an infected system to ‘1251’. “This is required to address files and directories that contain Cyrillic characters in their name.”

Cyrillic is a script used in various Eastern European nations and former USSR satellite states, including Russia, Belarus, Bosnia and Herzegovina, Bulgaria, Serbia, Tajikistan and Ukraine.

Yet Vitaly Kamluk, chief malware analyst at Kasperksy Lab, told TechWeekEurope there was no “strict evidence” a nation state was behind the campaign. But it was one of the most targeted campaigns seen to date – more so than the Flame and Gauss cyber espionage campaigns that were last year revealed to have hit government bodies.

“In Red October, the attackers seem to be hunting for specific organisations. They are interested in high-quality, high-profile information,” Kamluk said.

“That explains why the number of infected machines is so low – just over 300 machines… but every target was specifically selected. What makes this attack different from Flame and others is that every attack was planned very carefully.

“They shaped every attack attempt very carefully, and even created specific modules for targets. Not all the targets received the same binaries.

“Inside the malware, you can find a user ID, which actually shows it is a specific piece of malware compiled for a specific [target].”

Yet the hackers did not bother with creating their own exploit code. Instead, they borrowed known code that was made public following attempts to spy on Tibetan activists, which had “Chinese origins”, Kaspersky said.

Russia appeared to be the main target, as it was home to 35 systems infected with at least one module of the relevant malware. Kazakhstan had 21, whilst Azerbaijan, Belgium and India had 15 each. There were none in the UK.

The attackers sought to infect various government bodies, embassies in particular. Looking deeper into the figures, Kaspersky said government research institutes in Russia, Belarus and Kazakhstan, as well as foreign embassies in Russia, Iran and Ireland were all hit. Nuclear and energy groups, and military bodies in Russia and Kazakhstan were victims too.

Infection numbers are likely to be higher, as the data was taken from Kaspersky’s AV network, which will only cover its own customers.

Hyper-targeting

The Red October group used standard targeted attack methods to infect systems. First, they sent over specially-crafted emails to dupe the target into unwittingly downloading malware, in what is known as spear-phishing, by clicking on attached Microsoft Word and Microsoft Excel containing malicious code.

Additional modules were then uploaded from the command and control (C&C) server, including ones that dealt with smartphone infections. Infections did not actually reach iPhones, but data was pilfered from iTunes, which syncs with Apple’s smartphone. Windows Phones were directly infected, however.

The spyware attempted to steal data from various cryptographic systems, including one used by  used by different bodies within the European Union, European Parliament and European Commission since the summer of 2011.

The attackers hid their activity in a number of ways. First, by setting up a command and control (C&C) infrastructure where 60 domain names were created and servers, located in different countries, were used. The Red October team hid the location of the “mothership control server”.

Various files were implanted in victims’ machines too, but the most cunning innovation came in the form of a special module that allowed hackers to re-infect machines after they had lost contact with the victim.

“This campaign has a lot of unique modules and this one is one of them. It is installed as a plug-in for Microsoft Office or Adobe Reader,” explained Kamluk.

“The module waits for a specific file to be opened. It is not a file which has any kind of vulnerabilities in it… but it has a special digital tag that is verified by the plug-in.

“If the tag matches the signature of the attacker then they will try to extract an embedded, encrypted executable from the document and will try to run it in the system.”

When a user deleted other modules from their machines, cutting themselves off from the C&C, the file would be sent to the target in an attempt to infect them again. As the file contains no malicious code, it would bypass anti-virus systems, or other protections, every time.

Kaspersky uncovered 1000 different malicious files related to over 30 modules during its investigation.

Regardless of whether the Red October attacks were state-sponsored or carried out by a gang wanting government data, they hint at a new level of targeting and malware sophistication in the cyber world.

What do you know about online security? Try our quiz and find out!