Welcome!

Cloud Expo Authors: Sandi Mappic, Esmeralda Swartz, Carmen Gonzalez, Elizabeth White, Lori MacVittie

News Feed Item

Kaspersky Lab Identifies Operation "Red October," an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide

ABINGDON, England, January 14, 2013 /PRNewswire/ --

Attackers created unique, highly-flexible malware to steal data and geopolitical intelligence from target victims' computer systems, mobile phones and enterprise network equipment

Today Kaspersky Lab published a new research report  which identified an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organisations in several countries for at least five years. The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.

In October 2012 Kaspersky Lab's team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analysed during the investigation. According to Kaspersky Lab's analysis report, Operation Red October, called "Rocra" for short, is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.

Main Research Findings

Red October's Advanced Cyber-espionage Network: The attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The Red October attackers designed their own malware, identified as "Rocra," that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.

The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems.  For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.

To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab's analysis of Rocra's Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the 'mothership' control server.

Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,  cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the "acid*" extensions appears to refer to the classified software "Acid Cryptofiler", which is used by several entities, from the European Union to NATO.

Infecting Victims

To infect systems, the attackers sent a targeted spear-phishing email to a victim that included a customised Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced with their own code.  Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.  

Targeted Victims & Organisations

Kaspersky Lab's experts used two methods to analyse the target victims. First, they used detection statistics from the Kaspersky Security Network (KSN), which is the cloud-based security service used by Kaspersky Lab products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules. KSN had been detecting the exploit code used in the malware as early as 2011, which enabled Kaspersky Lab's experts to search for similar detections related to Rocra. The second method used by Kaspersky Lab's research team was creating a sinkhole server so they could monitor infected machines connecting to Rocra's C2 servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.

  • KSN statistics: Several hundred unique infected systems were detected by the data from KSN, with the focus being on multiple embassies, government networks and organisations, scientific research institutes and consulates. According to KSN's data, the majority of infections that were identified were located  primarily in Eastern Europe, but other infections were also identified in North America and countries in Western Europe, as Switzerland and Luxembourg.
  • Sinkhole statistics: Kaspersky Lab's sinkhole analysis took place from November 2nd, 2012 - January 10th, 2013. During this time more than 55,000 connections from 250 infected IP addresses were registered in 39 countries. The majority of infected IP connections were coming from Switzerland, followed by Kazakhstan and Greece.

Rocra malware: unique architecture and functionality

The attackers created a multi-functional attack platform that includes several extensions and malicious files designed to quickly adjust to different systems' configurations and harvest intelligence from infected machines. The platform is unique to Rocra and has not been identified by Kaspersky Lab in previous cyber-espionage campaigns. Notable characteristics include:

  • "Resurrection" module: A unique module that enables the attackers to "resurrect" infected machines. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides the attackers a foolproof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched. Once the C2s are operational again the attackers send a specialized document file (PDF or Office document) to victims' machines via e-mail which will activate the malware again.
  • Advanced cryptographic spy-modules: The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as Acid Cryptofiler, which is known to be used in organisations of NATO, the European Union, European Parliament and European Commission since the summer of 2011 to protect sensitive information.
  • Mobile Devices: In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia and Windows Mobile). The malware is also capable of stealing configuration information from enterprise network equipment such as routers and switches, as well as deleted files from removable disk drives.

Attacker identification: Based on the registration data of C2 servers and the numerous artifacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins. In addition, the executables used by the attackers were unknown until recently, and were not identified by Kaspersky Lab's experts while analyzing previous cyber-espionage attacks.

Kaspersky Lab, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams (CERTs) is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.

Kaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT for their assistance with the investigation.

The Rocra malware is successfully detected, blocked and remediated by Kaspersky Lab's products, classified as Backdoor.Win32.Sputnik.

Read the full research report of Rocra by Kaspersky Lab's experts please visit Securelist.

Kaspersky Lab Newsroom

Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (http://newsroom.kaspersky.eu/en), for journalists throughout Europe. The newsroom is specifically designed to serve many of the media's most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.

About Kaspersky Lab

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and Enterprises. The company currently operates in almost 200 countries across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit: http://www.securelist.com/.

*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2010. The rating was published in the IDC report Worldwide IT Security Products 2011-2015 Forecast and 2010 Vendor Shares - December 2011. The report ranked software vendors according to earnings from sales of endpoint security solutions in 2010.

© 2013 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.


Follow us on Twitter

http://www.twitter.com/kasperskyuk

Like us on Facebook

http://www.facebook.com/Kaspersky

Editorial contact:
Berkeley PR    
Ella Thompson    
[email protected]    
Telephone: +44(0)118-909-0909    
   
1650 Arlington Business Park    
RG7 4SA, Reading    

Kaspersky Lab UK
Ruth Knowles
[email protected]
Telephone: +44(0)871-789-1633

Milton Business Park
OX14 4RY, Oxford

SOURCE Kaspersky Lab

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

@CloudExpo Stories
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at Internet of @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, will discuss how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money! Speaker Bio: ...
Compute virtualization has been transformational, yet security policy implementation and enforcement has lagged behind in agility and automation. There are a number of key considerations when implementing policy in private and hybrid clouds. In his session at 15th Cloud Expo, Holland Barry, VP of Technology at Catbird, will discuss the impact of this new paradigm and what organizations can do today to safely move to software-defined network and compute architectures, including: How normal ope...
Samsung VP Jacopo Lenzi, who headed the company's recent SmartThings acquisition under the auspices of Samsung's Open Innovaction Center (OIC), answered a few questions we had about the deal. This interview was in conjunction with our interview with SmartThings CEO Alex Hawkinson. IoT Journal: SmartThings was developed in an open, standards-agnostic platform, and will now be part of Samsung's Open Innovation Center. Can you elaborate on your commitment to keep the platform open? Jacopo Lenzi: S...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic • Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff hap...
SYS-CON Events announced today that SOA Software, an API management leader, will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. SOA Software is a leading provider of API Management and SOA Governance products that equip business to deliver APIs and SOA together to drive their company to meet its business strategy quickly and effectively. SOA Software’s technology helps businesses to accel...
SYS-CON Events announced today that Utimaco will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Utimaco is a leading manufacturer of hardware based security solutions that provide the root of trust to keep cryptographic keys safe, secure critical digital infrastructures and protect high value data assets. Only Utimaco delivers a general-purpose hardware security module (HSM) as a customiz...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
SYS-CON Events announced today that ElasticBox is holding a Hackathon at DevOps Summit, November 6 from 12 pm -4 pm at the Santa Clara Convention Center in Santa Clara, CA. You can enter as an individual or team of up to 10 developers. A New Star Is Born Every Month! All completed ElasticBoxes will then be sent to a judging panel - 12 winners will be featured on the ElasticBox website in 2015. All entrants will receive five full enterprise licenses for one year + ElasticBox headphones + Elasti...
Once the decision has been made to move part or all of a workload to the cloud, a methodology for selecting that workload needs to be established. How do you move to the cloud? What does the discovery, assessment and planning look like? What workloads make sense? Which cloud model makes sense for each workload? What are the considerations for how to select the right cloud model? And how does that fit in with the overall IT tranformation? In his session at 15th Cloud Expo, John Hatem, head of V...
Cloud services are the newest tool in the arsenal of IT products in the market today. These cloud services integrate process and tools. In order to use these products effectively, organizations must have a good understanding of themselves and their business requirements. In his session at 15th Cloud Expo, Brian Lewis, Principal Architect at Verizon Cloud, will outline key areas of organizational focus, and how to formalize an actionable plan when migrating applications and internal services to...
SAP is delivering break-through innovation combined with fantastic user experience powered by the market-leading in-memory technology, SAP HANA. In his General Session at 15th Cloud Expo, Thorsten Leiduck, VP ISVs & Digital Commerce, SAP, will discuss how SAP and partners provide cloud and hybrid cloud solutions as well as real-time Big Data offerings that help companies of all sizes and industries run better. SAP launched an application challenge to award the most innovative SAP HANA and SAP ...
Ixia develops amazing products so its customers can connect the world. Ixia helps its customers provide an always-on user experience through fast, secure delivery of dynamic connected technologies and services. Through actionable insights that accelerate and secure application and service delivery, Ixia's customers benefit from faster time to market, optimized application performance and higher-quality deployments.
SYS-CON Events announced today that Calm.io has been named “Bronze Sponsor” of DevOps Summit Silicon Valley, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Calm.io is a cloud orchestration platform for AWS, vCenter, OpenStack, or bare metal, that runs your CL tools puppet, Chef, shell, git, Jenkins, nagios, and will soon support New Relic and Docker. It can run hosted, or on premise and provides VM automation / expiry, self-service portals,...
In her General Session at 15th Cloud Expo, Anne Plese, Senior Consultant, Cloud Product Marketing, at Verizon Enterprise, will focus on finding the right mix of renting vs. buying Oracle capacity to scale to meet business demands, and offer validated Oracle database TCO models for Oracle development and testing environments. Anne Plese is a marketing and technology enthusiast/realist with over 19+ years in high tech. At Verizon Enterprise, she focuses on driving growth for the Verizon Cloud pla...
SYS-CON Events announced today that Aria Systems, the recurring revenue expert, has been named "Bronze Sponsor" of SYS-CON's 15th International Cloud Expo®, which will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Aria Systems helps leading businesses connect their customers with the products and services they love. Industry leaders like Pitney Bowes, Experian, AAA NCNU, VMware, HootSuite and many others choose Aria to power their recurring revenue bu...
The Internet of Things (IoT) is going to require a new way of thinking and of developing software for speed, security and innovation. This requires IT leaders to balance business as usual while anticipating for the next market and technology trends. Cloud provides the right IT asset portfolio to help today’s IT leaders manage the old and prepare for the new. Today the cloud conversation is evolving from private and public to hybrid. This session will provide use cases and insights to reinforce t...
As Platform as a Service (PaaS) matures as a category, developers should have the ability to use the programming language of their choice to build applications and have access to a wide array of services. Bluemix is IBM's open cloud development platform that enables users to easily build cloud-based, creative mobile and web applications without having to spend large amounts of time and resources on configuring infrastructure and multiple software licenses. In this track, you will learn about the...
Blue Box has closed a $10 million Series B financing. The round was led by a strategic investor and included participation from prior investors including Voyager Capital and Founders Collective, as well as the Blue Box executive team. This round follows a $4.3 million Series A closed in December of 2012 and led by Voyager Capital. In May of this year, the company announced general availability of its private cloud as a service offering, Blue Box Cloud. Since that release, the company has dem...
SYS-CON Events announced today that Verizon has been named "Gold Sponsor" of SYS-CON's 15th International Cloud Expo®, which will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Verizon Enterprise Solutions creates global connections that generate growth, drive business innovation and move society forward. With industry-specific solutions and a full range of global wholesale offerings provided over the company's secure mobility, cloud, strategic network...
SimpleECM is the only platform to offer a powerful combination of enterprise content management (ECM) services, capture solutions, and third-party business services providing simplified integrations and workflow development for solution providers. SimpleECM is opening the market to businesses of all sizes by reinventing the delivery of ECM services. Our APIs make the development of ECM services simple with the use of familiar technologies for a frictionless integration directly into web applicat...