Kaspersky identifies 'Red October' cyberespionage network

Since 2007, a cyberespionage network has been stealing confidential data from private industry and government and research organizations in Eastern Europe, former Soviet republics and Central Asian countries, a security firm reported Monday.

The network, called Red October, has also stolen sensitive information from organizations in Western Europe and the U.S., but the focus was in the other regions, Kaspersky Lab said.

Most victims were diplomatic and government organizations, scientific research institutions, nuclear and energy groups, private trade groups and companies in the aerospace industries.

Kaspersky said it did not know whether the operation was state-sponsored or a criminal group gathering information to sell to the highest bidder. "The most probable scenario is for the end-customer to be a nation-state," Roel Schouwenberg, a senior researcher at Kaspersky Lab, told CSO Online.

Kaspersky discovered the network last year during an investigation stemming from a series of attacks against the computer networks of diplomatic service agencies.

The attackers, believed to have "Russian-speaking origins," used malware with a unique modular architecture comprising of malicious extensions, information-stealing code and backdoor Trojans. The malware is called Rocra, which is short for Red October.

The cyberespionage network compromised systems of hundreds of victims across 69 companies, Schouwenberg said. "It's likely there are more victims out there that we're currently not aware of."

[See also: Chinese cyberespionage threatens U.S. economy, DoD says]

Like cascading dominoes, computer systems fell as information stolen from one was used to penetrate another. For example, stolen credentials were compiled in a list and then used to guess passwords or phrases to gain access to additional systems.

The attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority in Germany and Russia. The majority of servers were used as proxies, in order to hide the command-and-control server at the core of the operation.

The stolen data had a wide variety of extensions. One extension not seen as a target before was "acid," which appears to be documents encrypted with classified software called "Acid Cryptofiler." The European Union and the North Atlantic Treaty Organization use the software.

"Previously targeted attacks that have been analyzed and reported did not focus on stealing files that were encrypted with Acid Cryptofiler," Schouwenberg said.

The attackers used spear-phishing emails to lure victims into opening attachments that exploited vulnerabilities in Microsoft Office and Excel applications.

The exploit code had been used before in cyberattacks on Tibetan activists and military and energy-related targets in Asia, Kaspersky said. The embedded executable was unique to Rocra.

Among the unusual attributes of the Rocra malware was a "resurrection" module embedded as a plug-in in Adobe Reader and Microsoft Office applications. The plug-in made it possible for attackers to regain control of a system after the main body of the malware was discovered and removed.

In addition, the malware was capable of stealing data from mobile devices, as well as PCs. Smartphone targets included the iPhone, Nokia devices and phones running Windows Mobile.

Kaspersky conducted the investigation in collaboration with international law enforcement agencies and the Computer Emergency Response Team in Romania and Belarus.

According to the latest report from the U.S. Defense Security Service, cyber-espionage technology is more sophisticated that ever and its use against U.S. targets is growing, During fiscal years 2010-11, reports of attempts to steal sensitive or classified information and technology rose 75%.

New types of high-tech, military-grade malicious code that has made headlines over the last couple of years have included Stuxnet, Duqu and Flame. Stuxnet is believed to have damaged Iranian nuclear facilities in 2010. The U.S. and Israeli governments created the malware, The New York Times has reported.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyberespionageapplicationsData Protection | MalwareRed Octoberlegalsoftwaredata protectioncybercrimekaspersky labRocra

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place