Kaspersky Lab on Monday announced the discovery of a massive cyberespionage operation that has been active for at least five years and has infiltrated computer networks at diplomatic, governmental and scientific research organizations in Europe, North America and Central Asia.
The campaign, which the company has named “Red October,” is still active and its configuration is as complex as the Flame malware, generally said to be the most complex attack ever launched.
“This operation has been conducted by highly skilled, well-funded attackers,” Roel Schouwenberg, senior researcher at Kaspersky Lab, told TechNewsWorld.
More About Red October
The attackers created more than 60 domain names and several hosting locations in different countries, mainly Germany and Russia, Kaspersky found. The command and control infrastructure consists of a chain of servers working as proxies to hide the location of the real C&C server.
The botnet’s platform is unique. It has a multi-functional framework that can quickly extend the malware’s intelligence-gathering features. The system is resistant to attempts to take over the C&C servers, and lets the attacker recover access to infected machines using alternative communication channels.
Among other things, Red October’s framework can steal data from mobile devices and slurp up configuration information from enterprise network equipment and local FTP servers, Kaspersky said. It can also get data from local network FTP servers and deleted files from removable disk drives.
The framework has a unique module that lets the attackers resurrect infected PCs after the malware has been discovered and cleaned or if the system is patched, Kaspersky found. This module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations. The attackers email a specialized PDF or Office document containing a code to users of formerly infected PCs.
When the user opens the PDF or Office document, the hidden plug-in will look for the code, decrypt the content and reinstall the malware, Schouwenberg stated.
“This approach is not unique,” Randy Abrams, a research director at NSS Labs, told TechNewsWorld. “If it is clever, it is clever in that it does not reinvent the wheel. The code would be replaced, not resurrected, if it had truly been eliminated.”
Who Are You?
Based on the registration data of the C&C servers and various artifacts left in the executables of the malware, Kaspersky believes the attackers come from areas where Russian is spoken.
The executables used by the attackers were unknown until recently, Kaspersky said.
Reduce, Reuse, Recycle
The attackers reused exploits created by other attacks and used previously against Tibetan activists as well as military and energy sector targets in Asia, Schouwenberg said. The attackers replaced the exploit executables with their own code.
“We observed the use of at least three exploits from previously known vulnerabilities — CVE-2009-3129, CVE -2010-3333, and CVE-2012-0158,” Schouwenberg revealed.
CVE-2009-3129 attacks Microsoft Excel files.
CVE-2010-3333 and CVE-2012-0158 attack Microsoft Word files. The latter was used in online attacks on a Tibetan non-governmental organization.
The Hunt for Red October
Registration data from the purchase of several C&C servers, and unique malware filenames related to the current attackers “hint at … activity dating back to May 2007,” Schouwenberg disclosed.
However, Kaspersky began detecting the exploit code used in the malware around 2011 because “we detect 200,000 or so new malware samples every day,” Schouwenberg explained. “It’s simply impossible to do a deep-dive investigation into each and every one of those.”
The Impact of Red October
“Given the variety of targets, the impact of the attack ranges from leakage of sensitive geopolitical information and intellectual property to other types of intelligence,” Schouwenberg suggested.
Organizations “will need to have very tightly defined document structures and quit allowing exceptions to formats” to prevent spear phishing, Abrams said. However this means each document must be individually verified, which “will add a noticeable delay to document open times.”
The Red October malware “reveals nothing that we do not already know,” Abrams said. “The state of cybersecurity in the world at present is generally Neanderthal and has a lot of evolving to do.”