Red October goes after governments, diplomatic offices/embassies, and research, trade/commerce, nuclear/energy, oil and gas, aerospace, and military targets. Kaspersky Lab has tallied several hundred infected organizations from these sectors, mostly in Eastern Europe. Among the infected organizations: 35 in the Russian Federation, 21 in Kazakhstan, 12 in Azerbaijan and Belgium, 14 in India, and six in the U.S.
The attacks even steal data from Windows Mobile, iPhone, and Nokia smartphones at the targeted organizations.
Roel Schouwenberg, senior researcher for global research and analysis at Kaspersky Lab, says Red October is more sophisticated than the average cyberspionage campaign. “It basically goes after everything … on the desktop, your smartphone, your Cisco router, and your SIP [Session Initiation Protocol] phone … Absolutely anything that could potentially be interesting and exfiltrated,” he says. “So from this point of view, this is what advanced or sophisticated cyberespionage really looks like.”
He says the “end customer” of the stolen information is likely a nation-state. It’s just not clear based on the technical information Kaspersky has gathered thus far who is actually behind it: The exploits used in the attacks are ones used by Chinese advanced persistent threat (APT) actors, but the malware writers appear to be native Russian-speakers, according to Kaspersky’s findings.
“You look at the malware first and foremost versus the exploit to see where it comes from. Exploits can come from anywhere,” he says. “You always figure so much stuff is coming from China … and people like to piggyback on that. But other than there are Russian-speaking people” involved, we don’t know who is behind it, he says.
“I do think the end customer is a nation-state, especially with the strong emphasis on diplomatic organizations,” Schouwenberg says.
But Dmitri Alperovitch, CTO at CrowdStrike, says the attacks have all the earmarks of a nation-state sponsored initiative. “It seemed very clear that it’s a nation-state sponsored operation,” Alperovitch says.
With the malware that hasn’t been seen before in other cybercrime operations, contractors could be doing the work on behalf of the nation-state actors, he notes. He says it’s unlikely a Chinese operation. Even so, attribution is difficult, as always. “It’s hard to say: It could be Russia or other Russian-speaking countries, [including] the Ukraine or [Bellarus]. I doubt it’s China,” he says.
Alperovitch adds that Kaspersky Lab’s name for the operation, “Red October,” seems to hint of a Russian connection.
Red October doesn’t appear to be a single campaign, but, rather, a series of campaigns that may have been launched at various times and targets since 2007. Kaspersky has sinkholed more than 60 domains being used by the malware, and found victims in 39 different countries. Around 250 different IP addresses connected to the sinkhole, which it ran from last Nov. 2 to Jan. 10 of this year. Most of the IPs were from Switzerland, Kazakhstan, and Greece.
“I don’t think it was one operator or campaign like Aurora” and other similar APTs, Alperovitch says. “What you are dealing with here is a toolkit framework connected to a number of campaigns over a five- to six-year period.
“It’s clear that significant effort went into this tool over time, so it makes sense it was used for more than one operation,” he says.
Kaspersky’s Schouwenberg says he thinks this is probably only a snapshot of the operation. “Overall, I do think that they probably moved from vertical [industry] to vertical [industry] … this has been something that has been ongoing, and there might be some things we haven’t seen yet,” he says.
The attacks started with classic cyberspying spear-phishing emails, loaded with a custom Trojan dropper. The payload includes known exploits for Microsoft Word (CVE-2010-3333 and CVE-2012-0158) and Excel (CVE-2009-3129). The earliest attacks Kaspersky was able to trace used the Excel attack in 2010 and 2011, and attacks in the summer of 2012 employed the Word exploits. “The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyberattacks, including Tibetan activists as well as military and energy sector targets in Asia,” according to Kaspersky’s findings.
The attackers created custom versions of the so-called “Rocra” malware using the exploits. Among the capabilities of the custom malware used in the attacks: a module that lets the attackers regain a foothold into a targeted machine if it has been cleaned up or patched. The module is embedded inside Adobe Reader and Microsoft Office.
Another unique feature of the malware is that it searches for files that are encrypted with Acide Cryptofiler, an obscure encryption package used by NATO and the European Union for protecting sensitive information. Rocra also targets smartphones, routers, and switches, and can access deleted files from removable disk drives.
“They knew exactly what they were targeting,” CrowdStrike’s Alperovitch says of the Cryptofiler-finding feature. “This is not a global operation trying to get everything off of those infected machines. Whoever was receiving those files has to understand what they contain, how to decrypt them, and has other intelligence collected through other means,” he says, all of which indicates that it’s a nation-state actor, he says.
The attackers also have some serious big-data capabilities given the volume of information — terabytes — they are stealing. “There must be a very serious back end,” Kaspersky’s Schouwenberg says.
The sheer size of the command-and-control infrastructure, with some 60 domains, shows how “these guys know how to scale,” he says.
Kaspersky Lab is working with law enforcement and CERT teams around the globe in the investigation into Red October. Kaspersky Lab’s report on Red October is available here, and the firm is promising to publish a second part of the report later this week with more technical details.