Red October: Espionage Campaign Targeting Government, Other High-Profile Organizations

The operation dates as far back as 2007 and it has made hundreds of victims

  Geographical distribution of Red October victims
Experts from security firm Kaspersky have identified a highly sophisticated cyber espionage campaign that targets organizations from a wide range of sectors, including government, research, trade and commerce, aerospace, military, diplomatic, oil and gas, and nuclear.

Experts from security firm Kaspersky have identified a highly sophisticated cyber espionage campaign that targets organizations from a wide range of sectors, including government, research, trade and commerce, aerospace, military, diplomatic, oil and gas, and nuclear.

The campaign, dubbed Red October, dates as far back as May 2007 and it has made hundreds of victims all over the world. While the main targets appear to be organizations from Eastern Europe, Central Asia and former USSR members, victims have also been identified in Western Europe and North America.

The main goal of this campaign appears to be the harvesting of sensitive information from the infected networks. This includes files bearing extensions such as txt, csv, eml, odt, docx, rtf, xls, key, xia, and ones associated with a piece of software called Acid Cryptofilter, utilized by NATO and the EU.

To achieve their objectives, the attackers have set up over 60 domains utilized to control and retrieve data from the victims. Most of these domains are associated with IPs from Russia and Germany.

One noteworthy fact about the malware that powers this operation is that it’s capable of stealing data from smartphones, removable drives, email databases, and local FTP servers. Enterprise networking components, Cisco devices in particular, are also targeted.

The malware, usually disguised as harmless-looking documents sent out in spear phishing emails, exploit at least three different vulnerabilities in Microsoft Office applications.

So far, no connections have been found between Rocra and other complex pieces of malware such as Duqu, Flame or Gauss.

It’s uncertain who is behind the campaign, but evidence shows that the exploits may have been created by Chinese hackers, while the malware module appears to have been developed by Russian-speaking individuals.

No evidence has been found to link these attacks to a nation-state, but experts emphasize the fact that the stolen information could be used by such actors.

Kaspersky has published the first part of its research paper on Red October. The second part will be released in the upcoming days.

Comments