Paranoid Technology All things cybersecurity


Red October Cyber Espionage Ring

large-red-october We thought it started with StuxNet and/or Flame - Red October cyber espionage ring has been in operation for 5 years, deep undercover. It targeted most major European governments, diplomatic offices all over the world. The most interesting thing this may not be a state sponsored attack, or so far it seems. During its 5 year existence Red October downloaded hundreds of terabytes of data to its operators. Who is behind this operation is currently unclear. Kaspersky Labs uncovered this espionage ring; senior Kaspersky researcher Roel Schouwenberg told SecurityWatch:...

"Additionally, we haven't seen the use of any zero-day vulnerabilities, which again goes to show how important patching is."

The main purpose of the campaign is to gather classified information and geopolitical intelligence. Among the data collected are files from cryptographic systems such as the Acid Cryptofiler, with the collected information used in later attacks. Stolen credentials, for instance, were compiled and used later when the attackers needed to guess secret phrases in other locations.

The command-and-control infrastructure that processes the stolen data utilizes more than 60 domain names as proxy servers to obscure the final destination; mainly Germany and Russia.  According to Kaspersky the command-and-control infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server. The ability of the infrastructure to shield the identity of the attackers and to resist takedown efforts rivals the command-and-control system used by Flame, the espionage malware reportedly developed by the US and Israel to spy on Iran. The Red October malware itself has remained undetected on more than 300 PCs and networks for more than five years. In addition to traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers - says Kaspersky experts.

This is only the tip of the iceberg, who is using this data, for what purposes should come to light to understand the full-depth of this operation (if it ever sees the light of day). One cannot help but wonder; how many other stealth cyber espionage rings are out there?

Read Part 1 of the report Kaspersky Labs wrote on their SecureList Blog.

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.