‘Red October’ cyber-attack campaign discovered

A high-profile cyber-attack campaign dubbed ‘Red October’ that has been in operation since 2007 has been discovered, internet security specialist Kaspersky Lab has confirmed.

Targeting sensitive information held by diplomatic, governmental and scientific research organisations worldwide, the cyber-attack campaign has been discovered following an investigation launched by the malware experts in October 2012. The Red October threat, which can be traced back almost six years, also goes by the codename ‘Rocra’.

Designed to infiltrate encrypted files, the identified ‘Rocra’ malware has been found to gather classified documents that included geopolitical intelligence, access credentials for classified systems and data from personal devices and network equipment.

The unique malware is comprised of several modules each with a specific objective or purpose to steal information from its targets. This malware is capable of stealing data from smartphones, enterprise network equipment such as routers or switches, and retrieving deleted files from USB sticks and external hard drives.

The attackers also used the malware to regain access to any infected machines whose user had discovered and removed the main malware body, by embedding a module as a plug-in within Adobe Reader and Microsoft office installations.

The cyber-attackers, who created more than 60 domain names and multiple server hosting locations across the world, with the majority based in Germany and Russia, infect their victims via a targeted spear-phishing email. This email included a customised Trojan dropper that would exploit security vulnerabilities inside Microsoft Office and Excel in order to infiltrate their targets.

Using its Kaspersky Security Network (KSN), a cloud-based security service that delivers advanced threat protection, Kaspersky detected the exploit code used by the attackers’ malware in 2011 and began the search for similar findings related to ‘Rocra’. The Lab’s research team also created a sinkhole server to monitor all infected machines they were connected to.

Kaspersky’s findings showed that several hundred unique systems had been infected, including multiple embassies, government networks and organisations located primarily in Eastern Europe, as well as North America, and Western European countries such as Switzerland and Luxembourg.

Through various artefacts left in the executables of the malware, Kaspersky says there is strong technical evidence to suggest the attackers have Russian-speaking origins, and are producing malware with executables that were unknown and unidentified prior to the ‘Red October’ campaign.

Offering reasurances to consumers troubled by the potential Red October threat, a Kaspersky spokesperson stated: “The Rocra malware is successfully detected, blocked and remediated by Kaspersky Lab’s products, classified as Backdoor.Win32.Sputnik.”

Do you protect all of your personal devices such as laptops, smartphones and tablets from malware threats or do you see security software as an unneccessary expense? Let us know via the Trusted Reviews Twitter and Facebook feeds or through the comment boxes below.