Diplomatic and government agencies targeted in years-long cyberespionage operation

The attackers used custom malware to target organizations from 39 countries, Kaspersky Lab says

Unidentified attackers stole sensitive information from hundreds of diplomatic, government, research and military organizations from around the world as part of a newly uncovered cyberespionage campaign that started nearly six years ago. The operation involved the use of highly customized and sophisticated data theft malware, researchers from antivirus firm Kaspersky Lab said Monday.

Kaspersky researchers started investigating the ongoing operation, which they dubbed "Red October," in October 2012. However, based on timestamps found in associated malicious files and registration dates for some of the command-and-control domain names, the attack campaign might have started in May 2007, they said Monday in a blog post.

The targeted organizations include embassies, government agencies, military facilities, nuclear and aerospace research institutions, oil and gas companies and other high-profile institutions. Several hundred systems have been infected within the targeted organizations, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.

Many of the affected organizations are located in former USSR states such as Russia, Ukraine, Belarus, Kazakhstan, Armenia and Azerbaijan. However, victims have also been identified in the United States, Brazil, India, Belgium, Switzerland, Germany and other countries, with some specific exceptions such as China, Raiu said.

In total, affected organizations have been identified in 39 countries, according to a detailed analysis of the operation published Monday by Kaspersky Lab.

"We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains," Raiu said. There's no proof that this cyberespionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder, he said.

The spear-phishing attacks -- targeted email attacks -- associated with this cyberespionage operation distribute malicious documents that exploit known vulnerabilities in Microsoft Excel or Word to install a custom piece of malware on computers. It appears that the same exploits were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.

The exploits used in the Red October operation appear to have been created on computers that use Simplified Chinese character encoding, Raiu said. However, there's strong reason to believe that the distributed malware was created by Russian-speaking developers, he said.

It is unclear why the Red October attackers are reusing the Chinese exploits instead of creating their own, but one possibility is that they are attempting to trick investigators into believing that the attacks are associated with other campaigns, Raiu said.

Despite the fact that these exploits are known, some antivirus products don't detect them because they have been slightly modified to evade detection. It's also possible that other methods of distributing the malware are used, but they haven't been identified yet, Raiu said.

The malware installed on computers can download and execute additional encrypted modules, each with its own specific functionality. More than 1,000 modules have been identified so far by the Kaspersky researchers.

Once a system is infected, the attackers spend a few days performing reconnaissance by using different modules to gather information from the system such as, for instance, what applications are installed, what USB devices are attached, the browser history, the stored FTP and email credentials, and the available remote shares.

Additional modules are then deployed to steal data from USB drives, including deleted files, download contact lists, call history, calendar entries or SMS messages from connected mobile phones (Windows Mobile, iPhones and Nokia phones are supported); steal emails from local Outlook storage or remote IMAP/POP3 servers; take screenshots and record keystrokes; and more.

There are also modules for so-called "lateral movement" inside the network -- the infection of other systems on the network. These modules can scan for and exploit known vulnerabilities on other systems, download configuration data from routers, access local FTP servers and other types of servers with stolen credentials, and more.

The types of files targeted by the malware include: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr and acidssa.

The acid* files are particularly interesting because they are associated with a classified piece of software called "Acid Cryptofiler" that is used by government organizations to encrypt files and hard drives, Raiu said. Searches on Google will reveal that this software is used by entities like the European Union and NATO, he said.

For the most part, the Red October campaign has gone undetected for more than five years. Some of the malware's modules have been detected from time to time by antivirus products, but no one has ever put the pieces together to uncover the full extent of the operation until now, Raiu said.

The Kaspersky researchers believe that the Red October campaign is more sophisticated than previously documented cyberespionage campaigns like Aurora or Night Dragon. Some of those attacks might have used zero-day exploits -- exploits for previously unknown and unpatched vulnerabilities -- for distribution, but this attack is much more complex in terms of lateral movement and data exfiltration, Raiu said.

The Red October attackers spend a couple of days gathering information about an infected system and its network before deciding which modules to use and how. The attacks are more personal and the level of customization is greater, Raiu said.

The operation's command-and-control infrastructure is also sophisticated. The Kaspersky researchers discovered more than 60 domain names used for command-and-control purposes that are hosted on servers in Russia, Germany and other countries. The whole infrastructure is actually a chain of servers that act as proxies to hide the main and yet-to-be-identified "mothership" server, they said.

Given the length of the operation, the Kaspersky researchers believe that hundreds of terabytes of sensitive data have probably been stolen until now.

Raiu declined to name any of the affected organizations, but said that the company is open to working with the national CERTs (computer emergency response teams) from countries where victims were identified and provide them with the IP (Internet protocol) addresses of the victims.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachDesktop securityspywaremalwarekaspersky lab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place