“According to our knowledge, never before in the history of ITSec has [a] cyber-espionage operation been analyzed in such deep detail … the research that we are publishing today is perhaps the biggest malware research paper ever.” - Kaspersky Lab, January 2013
Red October is a high-level cyber-espionage campaign that infiltrated computer networks for 5 years at diplomatic, governmental and scientific research organizations mostly in Eastern Europe, Central Asia, Western Europe and North America – including the United States.
During the past several months we’ve been analyzing the malware, and have counted several hundreds of infections worldwide. The main purpose of the Red October operation appears to be the gathering of classified information and geopolitical intelligence; although it seems that the information gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high profile victims although it’s unknown how the information was used. The primary victims were in all sorts of organizations ranging from embassies, governments to oil and gas, nuclear energy and research institutions.
We have observed the use of at least four different exploits for previously known vulnerabilities to gain access to information: one in MS Excel, two in MS Word and one in Java. The attackers initially gained access to networks by sending specially crafted spear phishing emails. These emails would entice the receiver to open the attached malicious document, which would then try to exploit a software vulnerability to silently install the malware.
Although we don’t know who the attackers are, we are highly confident that they’re Russian-speaking. That still doesn’t tell us anything about their whereabouts though – they could be located in Brooklyn, NY for all we know. But we do know their motivation is to steal as much information from as many devices as possible. There also seems to be a focus on political espionage more than any other type of espionage.
Red October is very well-executed, both from a creation and operation point of view. Considering cyber-warfare operations are highly developed attacks designed to undermine critical energy, finance, telecommunications and government cyber-network infrastructures worldwide, one of my biggest concerns, which is a concern shared by many, is the security of the infrastructures that control such systems: SCADA (supervisory control and data acquisition). Since SCADA systems are accessible via conventional computer networks, they are vulnerable to hackers. Because of these concerns, Kaspersky Lab is developing a secure operating system for these systems. This type of secure unit is the first step towards an efficient protection against cyber-warfare.
citizentekk NOTE: Read more about SCADA systems inside this issue from Bjorn Frogner, PhD in Nuclear Engineering.
In order to thwart cyber-attacks, collaboration and information sharing of mitigation techniques and countermeasures must be cultivated on a global and local level. By integrating defensive technologies with educational training and guidance, a more secure infrastructure will be created while also driving up the cost of cybercrime by making exploitation and cyber-attacks more expensive to conduct.