Red October attack targets diplomats, governments
By Nicole Kobie
Posted on 14 Jan 2013 at 15:35
Several hundred government targets have been attacked as part of a long-running campaign dubbed Red October, Kaspersky has revealed.
The attack targets computers, mobiles, USB drives and networking equipment, gathering sensitive data and login credentials, a report from the security firm said.
While targets are spread around the world, the focus appears to be embassies, government agencies, military and energy organisations in Eastern Europe, former USSR countries, and Central Asia. No attacks were made on UK authorities, however Kaspersky admitted its research was limited to its own network of users, so there are likely more victims than its report shows.
Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere
The attacks are still on-going, and started at least as far back as 2007, allowing for hundreds of terabytes of data to be collected.
It was unclear who the attackers are, but Kaspersky said they appeared to be of Russian-speaking origin, based on pieces of evidence found in the code. "Notably, one of the commands in the Trojan dropper switches the codepage of an infected machine to 1251 before installation," the company said. "This is required to address files and directories that contain Cyrillic characters in their names."
However, that could have been planted in the code to make it look like Russians were behind the attacks, Kaspersky claims.
The security firm said there was no evidence that the attacks were state-sponsored. "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," the report said. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."
The attacks are highly targeted, and "carefully tuned to the specifics of the victims," Kaspersky said, marking a change from the "highly automated" Flame campaign.
How it works
The Trojan's malicious code was delivered via an email attachment, making use of known flaws in Excel, Word and PDFs.
The code sets up communication with the command and control servers, and receives additional "spy modules", which it uses to infect connected smartphones and steal data.
"After initial infection, the malware won't propagate by itself - typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit," the report said.
Some of the data harvesting is on-going - such as grabbing data from a phone every time it's connected, or recording all keystrokes - while others are one-off tasks, such as extracting passwords, browser history and account information.
When it finds the information it's looking for, the system packs up the data and encrypts it before transferring it back to the C&C servers. Kaspersky found more than 60 domains for the C&C servers, with many named to look like Windows or Microsoft update systems.
The Red October attack also builds a backup into the computer, allowing the attackers to regain access if C&C servers are shut down.
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software