X

'Red October' malware spies on governments worldwide

It might have taken five years to discover, but a government-snooping spying campaign dubbed Red October has been exposed by Kaspersky Lab.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
4 min read
Kaspersky Lab

Kaspersky Lab has discovered yet another worldwide spying campaign that targets governmental bodies, political groups and research institutions.

On par with the memorable Flame malware, Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware -- known as Rocra or Red October -- which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.

Kaspersky says that Red October has been gathering data and intelligence from "mobile devices, computer systems and network equipment" and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.

The malware is sent via a spear-phishing email which, according to the firm, targets carefully-selected victims with an organization. Containing at least three different exploits in Microsoft Excel and Word, the infected files, once downloaded, drops a trojan on to the machine which then scans the local network to detect if any other devices are vulnerable to the same security flaw.

By dropping modules that can complete a number of "tasks," usually as .dll libraries, an infected machine obeys commands sent by the command center and then immediately discards the evidence. Separated in to "persistent" and "one-time" tasks, the malware is able to spy and steal in a number of ways, including:

  • Waiting for a Microsoft Office or PDF document and executing a malicious payload embedded in that document;
  • Creating one-way covert channels of communication,
  • Recording keystrokes, making screenshots,
  • Retrieve e-mail messages and attachments;
  • Collect general software and hardware environment information,
  • Extracting browsing history from Chrome, Firefox, Internet Explorer, Opera, and saving passwords,
  • Extracting Windows account hashes;
  • Extract Outlook account information,
  • Performing network scans, dump configuration data from Cisco devices if available.

Some .exe tasks remain on the system while waiting for the correct environment, for example, waiting for a phone to connect. Microsoft's Windows Phone, the iPhone and Nokia models are all said to be vulnerable.

Designed to steal encrypted files and even those that have been deleted from a victim's computer, the malware -- named as a hat-tip to the novel "The Hunt for Red October" -- has several key features which suggests it may be state-sponsored, although there is no official word on this yet.

Among the features, there is a "resurrection module" within the malware which keeps the infection hidden, disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after removal.

In addition, Red October does not simply focus on standard machines, but is also able to infect and steal data from mobile devices, hijacking information from external storage drives, accessing FTP servers and thieving information from email databases.

In order to control the network of infection, Kaspersky says that over 60 domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.

Kaspersky believes that the cyberattackers have been active for a minimum of five years, based on domain name registration dates and PE timestamps, and the firm "strongly believes" that the origins of the malware are Russian.

This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes:

The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.

Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues -- creating an espionage network full of intelligence that hackers can refer to in need. After at least five years of activity, the Russian security firm believes that at least 5 terabytes of confidential information could have been stolen.

"During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used. It is possible that the information was sold on the black market, or used directly," Kaspersky said.

The majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and Italy have all reported cases. The exploits appear to have Chinese origins, whereas the malware modules may have a Russian background.

Red October was first brought to Kaspersky's attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week.

This item first appeared on ZDNet under the headline "'Red October' spies on diplomats, governments worldwide."