Red October malware discovered after years of stealing data in the wild

This piece of malware has been stealing data from diplomatic, government and scientific research computer networks for more than five years.

A shadowy group of hackers has siphoned intelligence data worldwide from diplomatic, government, and scientific research computer networks for more than five years, including targets in the United States, according to a report from Kaspersky Lab.

Kaspersky Lab began researching the malware attacks in October and dubbed them "Rocra," short for "Red October." Rocra uses a number of security vulnerabilities in Microsoft Excel, Word, and PDF documents types to infect PCs, smartphones, and computer networking equipment. On Tuesday researchers discovered the malware platform also uses Web-based Java exploits.

It's not clear who is behind the attacks, but Rocra uses at least three publicly known exploits originally created by Chinese hackers. Rocra's programming, however, appears to be from a separate group of Russian-speaking operatives, according to the report from Kaspersky Lab.

The attacks are ongoing and targeted at high-level institutions in what are known as spear-fishing attacks. Kaspersky estimates that the Red October attacks have likely obtained hundreds of terabytes of data in the time it has been operational, which could be as early as May 2007.

Rocra infections were discovered in more than 300 countries between 2011 and 2012, based on information from Kaspersky's antivirus products. Affected countries were primarily former members of the U.S.S.R., including Russia (35 infections), Kazakhstan (21), and Azerbaijan (15).

Other countries with a high number of infections include Belgium (15), India (14), Afghanistan (10), and Armenia (10). Six infections were uncovered at embassies located in the United States. Because these numbers came only from machines using Kaspersky software, the real number of infections could be much higher.

Take it all

Kaspersky said the malware used in Rocra can steal data from PC workstations and smartphones connected to PCs including the iPhone, Nokia, and Windows Mobile handsets. Rocra can acquire network configuration information from Cisco-branded equipment, and grab files from removable disk drives including deleted data.

The malware platform can also steal e-mail messages and attachments, record all keystrokes of an infected machine, take screenshots, and grab browsing history from Chrome, Firefox, Internet Explorer, and Opera Web browsers. As if that wasn't enough, Rocra also grabs files stored on local network FTP servers and can replicate itself across a local network.

Par for the course

Even though Rocra's capabilities appear extensive, not everyone in the security field was impressed by Rocra's methods of attack. "It appears the exploits used were not advanced in any way," the security firm F-Secure said on its company blog. "The attackers used old, well-known Word, Excel and Java exploits. So far, there is no sign of zero-day vulnerabilities being used." A zero-day vulnerability refers to previously unknown exploits discovered in the wild.

Despite being unimpressed by its technical capacity, F-Secure says the Red October attacks are interesting because of the length of time Rocra has been active and the scale of the espionage undertaken by a single group. "However," F-Secure added. "The sad truth is that companies and governments are constantly under similar attacks from many different sources."

Rocra starts when a victim downloads and opens a malicious productivity file (Excel, Word, PDF) that can then retrieve more malware from Rocra's command-and-control servers, a method known as a Trojan dropper. This second round of malware includes programs that collect data and send that information back to hackers.

Stolen data can include everyday file types such as plain text, rich text, Word, and Excel, but the Red October attacks also go after cryptographic data such as pgp and gpg encrypted files.

In addition, Rocra looks for files that use "Acid Cryptofile" extensions, which is cryptographic software used by governments and organizations including the European Union and the North Atlantic Treaty Organization. It's not clear whether the people behind Rocra are capable of deciphering any encrypted data they obtain.

E-mail rebirth

Rocra is also particularly resistant to interference from law enforcement, according to Kaspersky. If the campaign's command-and-control servers were shut down, the hackers have designed the system so they can regain control over their malware platform with a simple e-mail.

One of Rocra's components searches for any incoming PDF or Office document that contains executable code and is flagged with special metadata tags. The document will pass all security checks, Kaspersky says, but once it's downloaded and opened, Rocra can start a malicious application attached to the document and continue feeding data to the bad guys. Using this trick, all the hackers have to do is set up some new servers and e-mail malicious documents to previous victims to get back in business.

Rocra's servers are set up as a series of proxies (servers hiding behind other servers), which makes it much harder to discover the source of the attacks. Kasperksy says the complexity of Rocra's infrastructure rivals that of the Flame malware, which was also used to infect PCs and steal sensitive data. There is no known connection between Rocra, Flame, or malware such as Duqu, which was built on code similar to Stuxnet.

As noted by F-Secure, the Red October attacks don't appear to be doing anything particularly new, but the amount of time this malware campaign has been in the wild is impressive. Similar to other cyber espionage campaigns such as Flame, Red October relies on duping users into downloading and opening malicious files or visiting malicious websites where code can be injected into their devices. This suggests that while computer espionage may be on the rise, the basics of computer security can go a long way to prevent these attacks.

Take precautions

Useful precautions such as being wary of files from unknown senders or watching out for files that are out of character from their purported sender is a good start. It's also useful to be wary of visiting websites you don't know or trust, especially when using corporate equipment. Finally, make sure you have all the latest security updates for your version of Windows, and seriously consider turning off Java unless you absolutely need it. You may not be able to prevent all manner of attacks, but adhering to basic security practices can protect you from many bad actors online.

Kaspersky says it's not clear if the Red October attacks are the work of a nation state or criminals looking to sell sensitive data on the black market. The security company plans to release more information about Rocra in the coming days.

If you're concerned about whether any of your systems are affected by Rocra, F-Secure says its antivirus software can detect the currently known exploits used in the Red October attacks. Kaspersky's antivirus software can also detect threats from Rocra.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityhackerssecuritysoftwaremalwarekaspersky lab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts