Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at email@example.com.More ↓Less ↑
The hackers behind the “Red October” cyberattack have decided to shut down their operation after their activity was documented in reports by WND and other outlets.
Last Thursday, WND reported a worldwide cyberattack was under way that was called “Red October” because it was discovered by the Russian security firm Kaspersky Lab in October 2012.
The attack was launched at least five years ago by suspected cyber-mercenaries who are not attached to any hacktivist group or nation-state.
The primary targets of the attack appear to be countries in Eastern Europe, the former USSR republics and Central Asia, although victims could be found in Western Europe and North America as well.
The hackers spread the virus by implanting it in Microsoft Word and Excel documents which triggered the virus once the file was opened.
While government embassies, research firms, military installations, energy providers, nuclear and other critical infrastructures are still trying to assess the damage, the true extent of the attack may never be known.
Costin Raiu of Kaspersky Lab, who led the effort to identify and analyze the virus, said that when the first report of the campaign appeared, the companies hosting the servers that received the harvested data began shutting down the websites the hackers were using. Also, many of the 60 domain names that were used to receive the data were quarantined.
“It’s clear that the infrastructure is being shut down. This time it’s being shut down for good,” Raiu said. “Not only are the registrars killing the domains and the hosting providers killing the command-and-control servers, but perhaps the attackers are shutting down the whole operation.”
Between the hosting companies and the hackers themselves, the attacks have been almost entirely shut down. As a result, the entire scope of the operation may never be known. Analysts suspect that the servers that were used to receive the collected data were merely proxy servers for the data before the information was sent to an intended site.
From what is known, analysts believe this latest incident may rival the Flame malware attack in its scope. Flame was a piece of malware, discovered last year, that infected 1,000 computers in seven Middle Eastern countries, primarily in Iran.
One thing that was discovered about Red October is that large-scale intelligence gathering can go on for a long period of time without the victim knowing.
How the hackers will use the information collected by Red October is yet to be determined.
WND’s original report said Kaspersky had documented the existence of the five-year-old cyber-espionage campaign that successfully had infiltrated computer networks worldwide at diplomatic, governmental, nuclear and energy groups along with scientific research organizations and aerospace industries.
Raiu, a senior security researcher at Kaspersky, said it looked like the goal was to obtain classified information and use it for geopolitical gains.
At the time, he said, “There’s no proof that this cyber-espionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder.”
While only recently discovered, Red October had been operating since at least 2007.
It appears that parts of the same code were previously used in targeted attacks against Tibetan activists, as well as military and energy sector targets in Asia.
Using these exploits, Red October assigned a number to each device it compromised with a 20-digit code. It then took the data it collected from each device and reported back to one of over 20 servers around the world.
Forensics on the virus show that it collected information from government embassies, research firms, military installations, energy providers, nuclear and other critical infrastructures. The virus has been able to harvest classified intelligence from these systems for half a decade and use that information to burrow its way into other systems.
It did its work not only by gathering the existing intelligence from the machines, but also by installing “key loggers,” small programs that capture the keystrokes made by a user and sending a record of the input back to a remote server. The hackers then can use the information to guess the user accounts and passwords on the infected machine to gather even more data.
The code also had unique ways of hiding. It can pretend to be a deleted file on the system. When an investigator initiates a search on the device, the malware deletes itself and the reappears when the search is complete.
Red October also has a “resurrection” module embedded as a plug-in in Adobe Reader and Microsoft Office applications. This module made it possible for attackers to regain control of a system even after the malware itself was discovered and removed from the system.
According to Kaspersky Lab, the Simplified Chinese character encoding used in the virus would point to Red October probably having Chinese origins, but the fact that the code includes Russian slang expressions would indicate that recent development work was done by people who speak Russian. For example, the word “proga” was found in the code. This is Russian slang which means “program” or “application.” It is a term that seems to be unique to the Russian programming community.
The alternative theory is that the Russian element is a “false flag,” meant to divert attention from the real operatives.
A total of 39 countries were found to have infected sites, with the most virulent cases of Red October being found in:
Russia – 35 sites
Kazakhstan – 21 sites
Azerbaijan – 15 sites
Belgium – 15 sites
India – 14 sites
Afghanistan – 10 sites
Armenia – 10 sites
Iran – seven sites
Turkmenistan – seven sites
United States – six sites
While there doesn’t seem to be a common thread among the victims, the sites that were selected seem to be specifically targeted. The attackers may have a specific purpose in mind or they be just looking at a “target-rich” network and practicing the “vacuum cleaner approach” to cyber-warfare, acquiring as much data as possible to see what can be discovered.