Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at firstname.lastname@example.org.More ↓Less ↑
A new revelation from a prominent Russian cyber research lab has set the cybersecurity world abuzz and has triggered a search worthy of a Tom Clancy novel.
After several months of investigation, Kaspersky Lab, a multinational computer security company based in Moscow, has announced the discovery of a new threat: a five-year-old cyber-espionage campaign that has successfully infiltrated computer networks worldwide at diplomatic, governmental, nuclear and energy groups along with scientific research organizations and aerospace industries.
The campaign, identified as “Rocra,” short for “Red October,” is still active, with data being sent to multiple command-and-control servers around the world. The virus is one of the most sophisticated pieces of computer code since the Stuxnet virus that brought Iran’s nuclear-enrichment program to its knees. The malware was found on Russian networks in October 2012, hence its name.
“We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains,” said Costin Raiu a senior security researcher at Kaspersky Lab. “There’s no proof that this cyber-espionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder.”
Raiu said the primary targets are countries in Eastern Europe, the former USSR republics and Central Asia, although victims can be found in Western Europe and North America.
More than 1,000 program objects have been identified so far by the Kaspersky researchers.
The virus attacks sites and gathers intelligence from their networks, individual computer systems and mobile devices. It even gathers erased files from USB drives.
The latest threat doesn’t seem to be the work of a nation-state or terrorist group but of very talented mercenaries.
While only recently discovered, Red October has been operating since at least 2007.
Like the virus that attacked Israeli police computers last year, Red October gathers classified information though vulnerabilities in Microsoft’s Word and Excel programs.
It appears that parts of the same code were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.
Using these exploits, Red October assigned a number to each device it compromised with a 20-digit code. It then took the data it collected from each device and reported back to one of over 20 servers around the world.
Forensics on the virus show that it collected information from government embassies, research firms, military installations, energy providers, nuclear and other critical infrastructures. The virus has been able to harvest classified intelligence from these systems for half a decade and use that information to burrow its way into other systems.
It did its work not only by gathering the existing intelligence from the machines, but also by installing “key loggers,” small programs that capture the keystrokes made by a user and sending a record of the input back to a remote server. The hackers then can use the information to guess the user accounts and passwords on the infected machine to gather even more data.
The code also has unique ways of hiding. It can pretend to be a deleted file on the system. When an investigator initiates a search on the device, the malware deletes itself and the reappears when the search is complete.
Red October also has a “resurrection” module embedded as a plug-in in Adobe Reader and Microsoft Office applications. This module made it possible for attackers to regain control of a system even after the malware itself was discovered and removed from the system.
In an interesting development, researchers discovered that Red October also made the jump to mobile phones, including iPhones, Windows Mobile devices and Nokia brand devices. Once a system is infected, the virus allows the hackers to spend a few days performing reconnaissance on the machines to determine the signature of the device. This can include the machine configuration, the browser history, the memory cache, which programs are installed and what remote files and devices are connected to the machine.
It could also scan the device for a host of file names. One type of file, called an “acid* file” is particularly interesting because it is associated with a classified piece of software called “Acid Cryptofiler” that is used by government organizations to encrypt files and hard drives,
This virus can discover known vulnerabilities on other systems as well. It can also download configuration data from network routers, access other servers on the local network and more.
On the larger systems, it could erase the programming on network switches and removable media such as disk drives and USB memory sticks.
While the researchers have been able to dissect the malware and determine how it works, figuring out who developed it is an entirely different matter.
According to Kaspersky Labs, the Simplified Chinese character encoding used in the virus would point to Red October probably having Chinese origins, but the fact that the code includes Russian slang expressions would indicate that recent development work was done by people who speak Russian. For example, the word “proga” was found in the code. This is Russian slang which means “program” or “application.” It is a term that seems to be unique to the Russian programming community.
The alternative theory is that the Russian element is a “false flag,” meant to divert attention from the real operatives.
It appears that the people who sent the virus out “into the wild” were not Russian after all. While the servers and domains to which the virus reported can be found in and around Germany and Russia, other evidence indicates that these were only proxy server that relayed the information to yet other servers, allowing the operators to cover their tracks.
While the size and sophistication of the virus suggests it’s the work of a nation-state, analysis of the code indicates it is not being run under the auspices of any single country. Red October seems to be an operation by a single person of a small group of people.
A total of 39 countries were found to have infected sites, with the most virulent cases of Red October being found in:
Russia – 35 sites
Kazakhstan – 21 sites
Azerbaijan – 15 sites
Belgium – 15 sites
India – 14 sites
Afghanistan – 10 sites
Armenia – 10 sites
Iran – seven sites
Turkmenistan – seven sites
United States – six sites
While there doesn’t seem to be a common thread among the victims, the sites that were selected seem to be specifically targeted. The attackers may have a specific purpose in mind or they be just looking at a “target-rich” network and practicing the “vacuum cleaner approach” to cyber-warfare, acquiring as much data as possible to see what can be discovered.
Given how long Red October has been active, Kaspersky researchers believe that hundreds of terabytes of sensitive data have probably been stolen by now.
This profile would point to a group such as Anonymous, which gathers as much as it can, hoping to come across particularly interesting or embarrassing information.
While the perpetrators may not be a nation-state or a committed group of hackers, they could very well be free-agents, waiting in the wings for a buyer to come along.