Home page logo

funsec logo funsec mailing list archives

"Red October" spy campaign uncovered, rivals Flame virus
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 16 Jan 2013 10:53:21 -0500

[Thanks to KW on the cryptography mailing list]


Researchers have discovered that various high-level entities – from
government bodies and embassies to energy and nuclear research groups
– have been the targets of a five-year cyber espionage campaign that
remains ongoing.

Organizations left in the path of “Rocra,” malware used in the
campaign dubbed "Red October”, include those primarily in Eastern
Europe, more specifically, former Soviet republics, though infections
also have been scattered throughout Central Asia, North America and
Western Europe, according to Kaspersky Lab, which discovered the
campaign after an unnamed client requested the firm investigate a
spear phishing attack.

Named after the submarine in Tom Clancy's novel The Hunt for Red
October, the campaign deploys malware to steal sensitive information,
including files encrypted by Acid Cryptofiler, classified software
used to safeguard confidential data maintained by such organizations
as the European Union, the North Atlantic Treaty Organization (NATO)
and European Parliament.

Impacted endpoints include not only workstations, but mobile devices
that become infected when users connect them to compromised machines.
Kaspersky published a blog post Monday saying 35 organizations were
compromised in Russia, 21 in Kazakhstan, and six in the United States.

Rocra makes its way to victims by way of targeted emails crafted for
specific individuals within organizations. Attackers attached
Microsoft Word or Excel files containing Rocra, which exploits three
now-patched vulnerabilities in the programs, CVE-2009-3129 in Excel,
CVE-2010-3333 and CVE-2012-0158 in Word.

The malware steals an extensive list of specific types of documents or
files, including txt, docx, doc and, more notably, “acid” extensions
that denote those created using Acid Cryptofiler software. Rocra is
also capable of stealing data from removable disk drives – even files
that have been deleted through a recovery process – and emails from
Outlook storage and remote or local network servers.

Kaspersky researchers also found the malware was able to “resurrect”
on machines where Rocra has been removed, as a module of the trojan is
embedded in Adobe Reader and Microsoft Office plug-ins to send a
phishing email to victims to start the infection process all over

Because of the registration information identified on
command-and-control servers, researchers believe Red October attackers
are a Russian-speaking group. Perpetrators have used a complex network
of servers and more than 60 domain names to hide the whereabouts of
their infrastructure.

Hundreds worldwide have been infected with Rocra across several fields
and industries, including government bodies and embassies, research
institutions, trade and commerce groups, nuclear and energy research
facilities, oil-and-gas companies, an aeropace and defense firms.
Researchers found no evidence that the campaign is the work of a
nation-state, but, given the sensitive nature of the data stolen,
perpetrators may seek to sell such information to highly funded groups
like nation-states in underground markets.

The campaign, which “rivals in complexity the infrastructure of the
Flame malware,” according to Kaspersky's post, is not believed to be
related to the family of malware that was discovered last year on
Iranian oil ministry computer systems.

Kaspersky also found that Red October surpassed the sophisticated
Aurora and Night Dragon campaigns, which targeted Google in 2010 and
oil companies Exxon Mobile and BP in 2011 to steal proprietary

“During our investigation, we've uncovered over 1,000 unique files,
belonging to about 30 different module categories,” said the Kaspersky
post. “Generally speaking, the Aurora and Night Dragon campaigns used
relatively simple malware to steal confidential information.

“With Rocra, the attackers managed to stay in the game for over five
years and evade detection of most anti-virus products while continuing
to exfiltrate what must be hundreds of terabytes [of data] by now.”

A study released last Thursday by security firm Trusteer found that
advanced malware is a much more pervasive problem than most would

The firm conducted a study using a sample of hundreds of thousands of
endpoint devices in its network and found that 1 in 500 employee
endpoints were infected with sophisticated, information-stealing
malware at any given point in time.

George Tubin, a security strategist at Trusteer, told SCMagazine.com
on Monday that all it takes is one weak link for perpetrators to get
desired access to an entire organization.

“In a large organization with 10,000 employees, all you need is one
employee to be compromised to get into the organization,” Tubin said.
“[These campaigns] are different from attacks on financial
institutions, where the criminal actually goes and steals money – or
does something for financial gain to directly to make money.”

Oftentimes, organizations miss the signs that they have been attacked,
due to perpetrators using exploits or malware unknown to security

“The institution may never even realize that they've been
compromised,” Tubin said. "Recent studies show that [most] companies
only find out they've been compromised when some third party alerts
them. Otherwise they really wouldn't know."
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
  • "Red October" spy campaign uncovered, rivals Flame virus Jeffrey Walton (Jan 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]