A new research report from cyber sleuths extraordinaire Kaspersky Labs has identified an elusive cyber-espionage campaign that targets diplomatic, governmental and scientific research organizations in several countries for at least five years. According to the report, Operation Red October, called “Rocra” for short, is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.
As Kaspersky points out, while the primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, “victims can be found everywhere, including Western Europe and North America.” The company goes on to say that, “The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.” This is a devilishly nasty piece of work.
Image via Shutterstock
The hunt for Red October
This hunt for Red October was initiated back in October of 2012. As noted, it revealed that attackers have been active since 2007. While focus has been on diplomatic and governmental agencies also targeted have been research institutions, energy and nuclear groups, and trade and aerospace targets.
Kaspersky says that Rocra was designed using home-grown malware that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans. The attackers often used information filtrated from infected networks to gain entry into additional systems. The ingenuity of the bad guys is evident in their use of more than 60 domain names and several server hosting locations in different countries, with the majority in Germany and Russia. Kaspersky Lab’s says its analysis of Rocra’s Command & Control (C2) infrastructure shows that, “the chain of servers was actually working as proxies in order to hide the location of the ‘mothership’ control server.”
How they infect victims
While Kaspersky outlines the details of how victims are infected, the bottom line is that attackers sent a targeted spear-phishing e-mail to a victim that included a customized Trojan dropper. The reason for concern here, aside from the incredibly confidential nature of the information the attackers are looking to extract, is that malware installation came about because the malicious e-mail included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. Kaspersky says in citing one example that, “The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced it with their own code. Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.”
How Kaspersky Lab’s experts actually detect such activities is the stuff of popular movies and TV shows. Details are available in materials from Kasperky for those who want more information. Two detection techniques are used which show the sophistication of what is needed to keep up with bad actors:
- Detection statistics from the Kaspersky Security Network (KSN) which is the cloud-based security service used by Kaspersky Lab products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules.
- Creating a sinkhole server so researchers could monitor infected machines connecting to Rocra’s C2 servers.
The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings. What the analyses showed was that Rocra malware has a “unique architecture and functionality,” which unfortunately highlights the ingenuity of its authors.
Protection is available
Having found the problem Kaspersky Labs is out with a fix. The Rocra malware is successfully detected, blocked and remediated by Kaspersky Lab’s products, classified as Backdoor.Win32.Sputnik.
Kaspersky Lab, in collaboration with international organizations, law enforcement agencies and Computer Emergency Response Teams (CERTs) is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.
Left unsaid is that the targets in this instance have some of the most advanced malware detection and anti-cyber terrorism capabilities available. After all, they are attempting to protect highly confidential materials involving national and international security and the ability to compromise vital infrastructure.
Given how long Rocra has been active, and it level of sophistication in terms of what it can do and the difficulty of detecting it, this once again draws attention to the importance of cyber security in general and is a sobering reminder to enterprise IT professionals as to why keeping abreast of what the bad guys are up to, even if your sector is not the target. This may not be Happy New Year news, but is an example why the axiom, “forewarned is forearmed,” has never been more relevant.
Edited by Brooke Neuman