What you should know about the Red October virus

In October of 2012, Kaspersky Labs discovered what could be the most powerful and complex computer virus to date. They are calling it Red October, after the submarine featured in the Tom Clancy novel and movie of the same name, because of the way that it has been lurking around for the past five years gathering top secret intelligence from countries all over the world.

Here’s the rundown:

The writers are still unidentified

Because Red October’s code contains Russian slang words, Chinese coding styles, and seems to have some parts written by professionals and other parts written by effective amateurs, nobody knows who wrote it or who is collecting the intel. Some think it is state sponsored, like Stuxnet and Flame, others are not so sure.

The virus has hit targets in more than 60 countries

Red October’s targets seem to be primarily located in South-east Europe and Central Asia, but other targets, including ones Australia, Japan, and the US, have been hit too. China has yet to report infection, leading some to believe that they are behind it—Kaspersky is quick to point out that that may be an intentional move to make it seems like China is the instigator.

In the wild for five years

It would appear that Red October has been operating online since late 2007, routing through over 60 domain names and proxy server locations to keep itself hidden. The virus has been hitting the same targets continuously, using the same passwords and keys obtained from previous strikes to re-access target hardware.

Red October has hit NATO

NATO encrypts all of its files with what is called an 'Acid Cryptofiler', but because Red October uses a keylogger to record passwords, NATO files have been compromised. The EU uses the same encryption method, meaning that this might be the biggest security breach in history.

Email transmission

Not only does Red October transmit via emails, it uses a selective technique called 'spear phishing' to hit specific targets as well as to keep itself under the radar. The emails will have subject lines specific to the receiver, and will discretely infect and extract once opened.

Red October (like Flame) can infect mobiles

Just like Flame, Red October is able to infiltrate mobile devices such as the iPhone and certain Windows and Nokia platforms. Red October is able to steal information such as contact lists, call history, message contents, and even a list of browser history.

Most infections have occurred in Russia

Because Kaspersky has identified the virus, most countries have ramped up their security measures significantly. The most infected victim? Russia, with 35 infections. Following closely behind is Kazakhstan.

The investigation is still ongoing

The virus has officially been identified, but the command and control servers are slowly being shut down, which means the culprit is destroying the evidence. What is troublesome to researchers is that the virus has the ability to essentially “hide out” in sensitive machines and reactivate at a later date, perhaps one more convenient for the hacker. Whether that happens, only time will tell.

Charles Trentham is a diehard tech blogger who loves to write about software, technology, and future science. After retiring from a small telecom startup after the bubble burst, he's been blogging full time, including some freelance work on such topics as internet security software in order to feed his tech habits. He enjoys spending time with his family and Kelpie named Elaine.

Join the CSO newsletter!

Error: Please check your email address.

Tags kaspersky labsRed OctoberNATOviruscybercrime

More about EUKasperskymobilesNATONokia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Charles Trentham

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place