Red October attack targets diplomats, governments

 

Gallery

By Nicole Kobie

Posted on 14 Jan 2013 at 15:35

Several hundred government targets have been attacked as part of a long-running campaign dubbed Red October, Kaspersky has revealed.

The attack targets computers, mobiles, USB drives and networking equipment, gathering sensitive data and login credentials, a report from the security firm said.

While targets are spread around the world, the focus appears to be embassies, government agencies, military and energy organisations in Eastern Europe, former USSR countries, and Central Asia. No attacks were made on UK authorities, however Kaspersky admitted its research was limited to its own network of users, so there are likely more victims than its report shows.

Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere

The attacks are still on-going, and started at least as far back as 2007, allowing for hundreds of terabytes of data to be collected.

It was unclear who the attackers are, but Kaspersky said they appeared to be of Russian-speaking origin, based on pieces of evidence found in the code. "Notably, one of the commands in the Trojan dropper switches the codepage of an infected machine to 1251 before installation," the company said. "This is required to address files and directories that contain Cyrillic characters in their names."

However, that could have been planted in the code to make it look like Russians were behind the attacks, Kaspersky claims.

The security firm said there was no evidence that the attacks were state-sponsored. "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," the report said. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

The attacks are highly targeted, and "carefully tuned to the specifics of the victims," Kaspersky said, marking a change from the "highly automated" Flame campaign.

How it works

The Trojan's malicious code was delivered via an email attachment, making use of known flaws in Excel, Word and PDFs.

The code sets up communication with the command and control servers, and receives additional "spy modules", which it uses to infect connected smartphones and steal data.

"After initial infection, the malware won't propagate by itself - typically, the attackers would gather information about the network for a few days, identify key systems and then deploy modules which can compromise other computers in the network, for instance by using the MS08-067 exploit," the report said.

Some of the data harvesting is on-going - such as grabbing data from a phone every time it's connected, or recording all keystrokes - while others are one-off tasks, such as extracting passwords, browser history and account information.

When it finds the information it's looking for, the system packs up the data and encrypts it before transferring it back to the C&C servers. Kaspersky found more than 60 domains for the C&C servers, with many named to look like Windows or Microsoft update systems.

The Red October attack also builds a backup into the computer, allowing the attackers to regain access if C&C servers are shut down.