Cyber espionage is alive and well, as illustrated by the discovery of a long-term campaign dubbed "Red October" that is suspected to have been targeting mostly embassies, but has also been found to have infiltrated systems belonging to other government agencies, military, energy and research organizations in nearly 70 nations across Europe, former USSR Republics, Central Asia, and North America.
"During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment," Kaspersky Labs reported.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used,” Kaspersky Labs disclosed.
Kaspersky researchers began their investigation in October of 2012 after receiving reports of numerous targeted attacks on systems belonging to "various international diplomatic service agencies." Evidence indicates that the operation has been in place since at least 2007, and the researchers noted that the command and control (C&C) servers are still active.
The malware used in the data sniffing campaign is said to be of a modular nature, similar to the code used in the now infamous Flame and Stuxnet attacks, and is capable of advanced detection evasion. At least one of the modules is specifically designed to pilfer information protected with Cryptofiler, an encryption protocol that is in widespread use mostly in Europe since 2011, which leads the researchers to believe the algorithm has been cracked.
Kasperky Lab's analysis revealed key aspects of the Red October operations, including:
- Unique architecture: The attackers created a multi-functional kit which has a capability of quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attack to recover access to infected machines using alternative communication channels.
- Broad variety of targets: Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile), enterprise network equipment (Cisco), removable disk drives (including already deleted files via a custom file recovery procedure).
- Importation of exploits: The samples we managed to find were using exploit code for vulnerabilities in Microsoft Word and Microsoft Excel that were created by other attackers and employed during different cyber attacks. The attackers left the imported exploit code untouched, perhaps to harden the identification process.
- Attacker identification: Basing on registration data of C&C servers and numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and executables developed by them have been unknown until recently, they have never related to any other targeted cyberattacks.
The likely avenue for infection was by way of tainted e-mail attachments which contained "exploit code for known security vulnerabilities" in PDF documents and several popular applications such as Excel, Word, specifically exploiting CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). After a target's system is infected, additional files are downloaded from the C&C servers via a backdoor established by the initial agent.
The malware can bypass many detection tools and is able to reinfect systems. Each instance of infection is tied to a unique identifier which enables the attackers to distinguish between individual victims and initiate actions based on the specific target.
"When connecting to the C&C, the backdoor identifies itself with a specific string which includes a hexadecimal value that appears to be the victim’s unique ID. Different variants of the backdoor contain different victim IDs. Presumably, this allows the attackers to distinguish between the multitudes of connections and perform specific operations for each victim individually," Kasperky's analysis discovered.
The origins of the attack have not been identified, though researchers noted that the instigators are likely native Russian speakers and the C&C servers employed are mostly located in Germany. Kasperky Labs will soon be releasing more information on the design of the specific modules used in the Red October campaign and the technical aspects of their functionalities.