'Red October' cyberweapon spied on world for six years, says Kaspersky Lab

The Russian Stuxnet? Perhaps

Cyberbusting security firm, Kaspersky Lab, has discovered a previously unknown and potent cyberweapon it believes has been pilfering large amounts of data from diplomatic and government agencies in former Soviet republics, Eastern Europe and Central Asia since 2007.

After a remarkable run uncovering shady cyberweapons in the last two years, the recent discovery of 'Red October'(or 'Rocra' for short) looks like another example of 'gotcha' for the Russian firm.

The choice of name (after Tom Clancy's Reagan-era Cold War novel) is a dramatic device that doesn't look entirely out of place when you read Kaspersky's evidence.

First, Red October is modular (30 in total), reasonably complex in design (1,000 files with 115 creation dates in just over 2 years), targets multiple environments (several mobile platforms as well as PCs), and had a command and control network that ran to 60 domains, all elements that strongly point to this being a cyberweapon and not a criminal enterprise.

Although small-scale, it also evaded detection since at least 2007, a run of good luck that means its code wasn't related to commercial malware and which would have seen it picked up by antivirus software long ago.

The biggest giveaway looks like the data it was trying to steal, including a long list of data types but also something called 'Acid Cryptofiler', a secure format Kaspersky said has been used by the EU and NATO since as recently as 2011. When it stole credentials these were re-used in later attacks.

The malware reached its targets using phishing attacks via email, hitting software vulnerabilities in Microsoft Office and Excel.

The 300 or so victims found include a wide list of countries; North America, Europe, but mainly Eastern Europe and former Soviet republics - 35 infections were detected in the Russian Federation alone.

There were signs of haste, or adaptability, depending on how you interpret it. Red October's attackers had re-used exploit code hitting one a software vulnerability using code that had Chinese origins. Given that this was publically known, this might be seen as risking exposure.

That is not old-school NSA; these guys were sometimes in a hurry to get their work done.

Evidence of complexity? Apart from the sheer scale and ambition of this malware, it used some very odd tactics such as having a 'resurrection' mode that allowed the attackers to turn the malware back on using a crafted Adobe or Office document should the original malware be discovered or its exploits patched.

If it barks like a cyberweapon, it's generally a cyberweapon. So who might be behind Red October and with what political motivation?

Kaspersky drops a few hints, starting with the malware's name in its antivirus database, Backdoor.Win32.Sputnik, and perhaps its Red October nickname of course (the metaphor of a rogue Soviet submarine is illuminating). There were also clues that its creators spoke Russian.

That narrows it down to native Russians or, more remotely, Russian-speaking immigrant Jews somewhere like Israel. Whoever built this software wanted to keep long-term tabs on the military-governmental complex in countries once allied to Russia and their often new allies across the globe.

"Once again, it [Red October] raises the question around what else is already out there that we are not aware of," commented Jarno Limnell of Finnish security specialist Stonesoft.

"Red October" is also a good example of how much activity is happening on a daily basis in the cyber world. It is reminiscent of the way spies used to work during the Cold War. Here is a sophisticated attack that has infiltrated security systems without detection, which then sat there silently, working away and sending back all kinds of valuable intelligence to its controllers," he said.

"Cyber has been established as the new battlefield and governments, NGOs and commercial organisations need to recognise that, attacks like "Red October", are becoming the new norm. With regards to cyber-espionage; everybody is doing it. The question is, who is doing it in the best way?"

This is the immense power of cyberweapons, which could also be described as information-gathering systems used for political ends. They can trace the intricate web of relationships and exchanges made between countries that would be impossible using visible evidence alone.

Where the bits and bytes go, so money, goods, services and people and power follow. Where these flows end up, the cyberspooks gravitate towards. They are glamorous for now but also dispassionate.

My enemies' friends are my enemies too. But they are also my economic partners so the world isn't ever as simple as the maxims suggest. Better to watch everyone even if they are staring back just as intently.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritykaspersky lab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place