CeBIT 2013: Red October Had EU And German Crypto Codes – Kaspersky

Russian special forces © Darren Baker, Shutterstock 2012

Red October cyber spies could read military and government secrets, says Kaspersky

The Red October cyber-espionage campaign had access to encryption keys which allowed it to read secret European and German documents. Kaspersky, the Russian security firm which first described the malware-based snooping operation in January, presented more details during a press conference at the CeBIT show in Hanover, Germany.

Red October operated for at least five years, attacking embassies and government bodies, stealing information from PCs and smartphones, by infecting devices with malware using flaws such as the recent Adobe weakness. Kaspersky said the outfit must have had Russian origins, or been created by Russian speakers, as there was evidence in the payload, of a command which translates the character encoding to the Russian Cyrillic alphabet.

St. Basil's Cathedral on Red square, Moscow, RussiaSecrets Read By Red October

The campaign may have been more dangerous than was thought at first, because the culprits appear to have had access to the keys for major cryptography systems, used by the European Union, NATO and the German government, said Costin Raiu, head of research at Kaspersky Labs.

The attackers appeared to posses the keys allowing them to decode exchanges using the German Chiasmus government encryption program, as well as the Acid Cryptofiler, used by NATO and the EU, said Raiu.

Costin Raiu Kaspersky

The campaign was very sophisticated, with bespoke malware aimed at specific targets, showing the that culprits knew exactly what they wanted. The basic malware underlying the attacks was largely re-used from known code of Chinese origin, that was made public following attempts to spy on Tibetan activists.

The malware used flaws in Adobe, Microsoft Word and Microsoft Excel to attack its victims.

Despite its sophistication, it appeared to fall apart after it was exposed. The command and control systems of Red October were dismantled hours after it was exposed, Raiu told TechWeekEurope in January.

Red October is part of a series of apparently political cyber expionage campaigns which also includes the Flame and Gauss operations,  which also hit government bodies.

Reporting by Peter Marwan of


What do you know about IT in Russia? Try our quiz, Tovarisch!