Threat Intelligence, Malware

“Red October” spy campaign uncovered, rivals Flame virus

Researchers have discovered that various high-level entities – from government bodies and embassies to energy and nuclear research groups – have been the targets of a five-year cyber espionage campaign that remains ongoing.

Organizations left in the path of “Rocra,” malware used in the campaign dubbed "Red October”, include those primarily in Eastern Europe, more specifically, former Soviet republics, though infections also have been scattered throughout Central Asia, North America and Western Europe, according to Kaspersky Lab, which discovered the campaign after an unnamed client requested the firm investigate a spear phishing attack.

Named after the submarine in Tom Clancy's novel The Hunt for Red October, the campaign deploys malware to steal sensitive information, including files encrypted by Acid Cryptofiler, classified software used to safeguard confidential data maintained by such organizations as the European Union, the North Atlantic Treaty Organization (NATO) and European Parliament.

Impacted endpoints include not only workstations, but mobile devices that become infected when users connect them to compromised machines. Kaspersky published a blog post Monday saying 35 organizations were compromised in Russia, 21 in Kazakhstan, and six in the United States.

Rocra makes its way to victims by way of targeted emails crafted for specific individuals within organizations. Attackers attached Microsoft Word or Excel files containing Rocra, which exploits three now-patched vulnerabilities in the programs, CVE-2009-3129 in Excel, CVE-2010-3333 and CVE-2012-0158 in Word.

The malware steals an extensive list of specific types of documents or files, including txt, docx, doc and, more notably, “acid” extensions that denote those created using Acid Cryptofiler software. Rocra is also capable of stealing data from removable disk drives – even files that have been deleted through a recovery process – and emails from Outlook storage and remote or local network servers.

Kaspersky researchers also found the malware was able to “resurrect” on machines where Rocra has been removed, as a module of the trojan is embedded in Adobe Reader and Microsoft Office plug-ins to send a phishing email to victims to start the infection process all over again.

Because of the registration information identified on command-and-control servers, researchers believe Red October attackers are a Russian-speaking group. Perpetrators have used a complex network of servers and more than 60 domain names to hide the whereabouts of their infrastructure.

Hundreds worldwide have been infected with Rocra across several fields and industries, including government bodies and embassies, research institutions, trade and commerce groups, nuclear and energy research facilities, oil-and-gas companies, an aeropace and defense firms. Researchers found no evidence that the campaign is the work of a nation-state, but, given the sensitive nature of the data stolen, perpetrators may seek to sell such information to highly funded groups like nation-states in underground markets.  

The campaign, which “rivals in complexity the infrastructure of the Flame malware,” according to Kaspersky's post, is not believed to be related to the family of malware that was discovered last year on Iranian oil ministry computer systems.

Kaspersky also found that Red October surpassed the sophisticated Aurora and Night Dragon campaigns, which targeted Google in 2010 and oil companies Exxon Mobile and BP in 2011 to steal proprietary information.

“During our investigation, we've uncovered over 1,000 unique files, belonging to about 30 different module categories,” said the Kaspersky post. “Generally speaking, the Aurora and Night Dragon campaigns used relatively simple malware to steal confidential information.

“With Rocra, the attackers managed to stay in the game for over five years and evade detection of most anti-virus products while continuing to exfiltrate what must be hundreds of terabytes [of data] by now.”

A study released last Thursday by security firm Trusteer found that advanced malware is a much more pervasive problem than most would expect.

The firm conducted a study using a sample of hundreds of thousands of endpoint devices in its network and found that 1 in 500 employee endpoints were infected with sophisticated, information-stealing malware at any given point in time.

George Tubin, a security strategist at Trusteer, told on Monday that all it takes is one weak link for perpetrators to get desired access to an entire organization.

“In a large organization with 10,000 employees, all you need is one employee to be compromised to get into the organization,” Tubin said. “[These campaigns] are different from attacks on financial institutions, where the criminal actually goes and steals money – or does something for financial gain to directly to make money.”

Oftentimes, organizations miss the signs that they have been attacked, due to perpetrators using exploits or malware unknown to security professionals.

“The institution may never even realize that they've been compromised,” Tubin said. "Recent studies show that [most] companies only find out they've been compromised when some third party alerts them. Otherwise they really wouldn't know."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.