Kaspersky Lab released the first of a two-part report on "Red October," a malware attack the company believes is infesting high-level government systems throughout Europe and could be specifically targeting classified documents.
Kaspersky Lab released the first of a two-part report on "Red October," a malware attack the company believes is infesting high-level government systems throughout Europe and could be specifically targeting classified documents. According to the report, the stolen data is on the order of "hundreds of Terabytes," and went largely undetected for about five years.
Red October, or "Rocra," takes its name from the month in which it was first discovered and the titular silent Russian submarine imagined by author Tom Clancy. You can read more about Red October and its background over at PC Mag.
Specifically Targeted Attacks The report describes Red October as a "framework," which can be quickly upgraded to take advantage of its victims' weaknesses. The attackers began their assault with spearphising emails or infected documents tailored to appeal to their targets. Once infected, the intruders would gather information on the system before installing specific modules to grow the intrusion. Kaspersky counted around 1,000 such unique files falling into about 30 categories of modules.
This is a markedly different approach than Flame, or other headline-grabbing malware. The report says, "there is a high degree of interaction between the attackers and the victim - the operation is driven by the kind of configuration the victim has, which type of documents the use, installed software, native language and so on."
"Compared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more 'personal' and finely tuned for the victims," writes Kaspersky.
The attackers were as devious as they were methodical, actually changing tactics to employ stolen information. "Information harvested from infected networks is reused in later attacks," writes Kaspersky. "For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations."
Staying Off the Radar This kind of targeted attack not only allowed those behind Red October to go after high-level targets, but also helped the operation remain undetected for years. "The combination of highly skilled, well-funded attackers and a limited distribution generally means malware is able to remain under the radar for a significant period of time," Kaspersky senior researcher Roel Schouwenberg told SecurityWatch. "Additionally, we haven't seen the use of any zero-day vulnerabilities, which again goes to show how important patching is."
Schouwenberg went on to say that multiple layers of security can help block against these kinds of attacks. He told SecurityWatch, "this is why defense in depth is important and approaches such as default deny, whitelisting and application control come into play. Attacks can be stopped even without exact detection."
Not Necessarily the Work of Nations Despite the high-level targets, Kaspersky stresses that there is no definitive link to a state-sponsored attack. The report says that while the information targeted could be valuable to nations, "such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."
Tailor-made threats like Red October are the kind of worst-case scenarios that keeps security people at the Pentagon up all night. Fortunately, the specificity that made Red October successful also means it's unlikely to threaten regular consumers like you and me.
Unfortunately, that doesn't change the fact that a new and powerful player has been operating behind the scenes for years.