Red October Espionage Network Rivals Flame

Security researchers have uncovered an espionage malware network that's been operating undetected for at least five years and that has likely stolen quantities of data that stretch into the terabytes.

"The campaign, identified as 'Rocra' -- short for 'Red October' -- is currently still active, with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware," read research published by Kaspersky Lab.

Operation Red October involves a series of highly targeted attacks. "All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customized to make them more appealing, and every single module is specifically compiled for the victim with a unique victim ID inside," said Kaspersky Lab. In addition, it said attacks are also customized based on the target's native language, the specific software installed on their system, and the types of documents they prefer to use.

[ Did recent attacks on U.S. banks really have ties to Iran? Read more at Bank Attacker Iran Ties Questioned By Security Pros. ]

Kaspersky Lab said it first learned of the attacks in October 2012, after being supplied -- by a third party that wishes to remain anonymous -- with samples of spear-phishing emails and malware modules being used by attackers. Interestingly, the spear-phishing attack emails appear to have been recycled from an attack campaign that targeted Tibetan activists, as well as military organizations and energy companies in Asia. Attackers, however, substituted their own malicious code.

Working with US-CERT as well as the Romanian CERT and the Belarusian CERT, Kaspersky Lab said it began monitoring the malware used by attackers on Nov. 2, 2012. By Jan. 10, 2013, it had seen 250 different IP addresses registering more than 55,000 connections to a sinkhole it created to study the attacks.

The greatest number of Rocra-infected PCs (35) appear to be in the Russian Federation, followed by Kazakhstan (21), Azerbaijan (15), Belgium (15) and India (14). "The infections we've identified are distributed mostly in Eastern Europe, but there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg," read the report.

The malware being used by attackers, which is still active, has primarily targeted organizations belonging to one of the following eight categories: government, diplomatic (including embassies), research institutions, trade and commerce, nuclear or energy research, oil and gas, aerospace, and military.

Once the malware infects a PC, it serves as a launch pad for further attack code, which typically gets downloaded once, executed and then deleted. Other modules, however, such as malicious code that waits for a smartphone to be connected to a PC and then steals data from the device, remain indefinitely active. "During our investigation, we've uncovered over 1,000 modules belonging to 30 different module categories," said Kaspersky Lab. "These have been created between 2007 with the most recent being compiled on 8th Jan 2013."

Various modules offer the ability to retrieve Windows and Outlook account hashes, steal information stored on locally connected USB devices or smartphones -- iPhone, Android, Nokia and Windows Mobile -- as well as record keystrokes and webcam images, scan for open ports, grab and upload interesting files and more.

A network of command-and-control (C&C) servers is interfacing with the infected PCs to retrieve stolen data. "We uncovered more than 60 domain names used by the attackers to control and retrieve data from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany," reported Kaspersky Lab. But again, it's unclear who's controlling the C&C servers, or where they're located. "The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -- mothership -- command and control server," the report read.

Some of the documents stolen by attackers have filenames that end with the "acid" extension, such as "acidcsa" and "acidsca." According to Kaspersky Lab, the 'acid*' extensions appear to refer to the classified software 'Acid Cryptofiler,' which is used by several entities such as the European Union and/or NATO.

Who built Rocra? According to Kaspersky Lab, the exploits appear to have been created by Chinese hackers, although the malware modules were apparently written by Russian-language speakers. Indeed, the report from Kaspersky Lab, which is based in Moscow and was founded by Russian security expert Eugene Kaspersky, also reported finding typos and misspellings in the malware code that appear to be Russian-language slang terms, including the word "progra," which is a transliteration of Russian software engineer slang for an application. The word "zakladka" also appears in the code, which in Russian can refer to a "bookmark" but is also a slang term for "undeclared functionality" in hardware and software. According to the researchers, however, it may also mean a microphone embedded in a brick of the embassy building.

Despite the Chinese and Russian ties, however, currently there is no evidence linking this with a nation-state sponsored attack, according to the report.

If a government didn't launch this malware, where might it have originated? "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states," said researchers. "Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Kaspersky Lab reported finding no connections between the malware and Flame, or any malware that's related to Flame, which security experts believe was built by the U.S. government. Meanwhile, the malware is also much more advanced than the attack code used in the Aurora or Night Dragon attacks, both of which have been ascribed to the Chinese government. "Compared to Aurora and Night Dragon, Rocra is a lot more sophisticated," said Kaspersky Lab.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)