The Hunt For "Red October"
January 15, 2013 1:55 AM   Subscribe

An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.
The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”

Massive espionage malware targeting governments undetected for 5 years - "Red October" command-and-control setup more sophisticated than that of Flame.

Kaspersky uncovers Red October malware campaign targeting governments for the last 5 years

"Red October" Diplomatic Cyber Attacks Investigation
In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called «Red October» (after famous novel «The Hunt For The Red October»).

This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.

The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment.

The earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013). Besides that, registration data used for the purchase of several Command & Control (C&C) servers and unique malware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.
"Red October" is still operational at this time. There are some indications is was used to collect information from EU and NATO encrypted systems.
The botnet/worm has been compared to Stuxnet, Duqu, and Flame/Skywiper (Flame Full Analysis), though it does not currently appear to be connected to any of them, either through code analysis or methodology.

Previously on MetaFilter, in reverse chronological order:
"Flame is a newly-identified malware program"
US and Israel Confirmed As Authors Of Stuxnet Virus
Stuxnet II: Electric Duqu
Stux to be you
Weapons of the 21st Century
posted by the man of twists and turns (25 comments total) 15 users marked this as a favorite
 
Another Ars article just posted:
Red October relied on Java exploit to infect PCs
posted by XMLicious at 2:07 AM on January 15, 2013 [1 favorite]


It's mighty ballsy of a moscow based security firm to blow open a russian spy operation.
posted by empath at 2:12 AM on January 15, 2013 [2 favorites]


They're probably hoping to be hired for consulting on the improved sequel.
posted by brokkr at 2:17 AM on January 15, 2013 [3 favorites]


Any idea if this one is Russian or American though?
posted by jeffburdges at 2:19 AM on January 15, 2013


Well, according to the article they are guessing Chinese-originated exploits coupled with native speaking Russian-originated malware.
posted by Samizdata at 2:45 AM on January 15, 2013


It's mighty ballsy of a moscow based security firm to blow open a russian spy operation.

All depends on who's the paymasters. Part of who pays Karsparski is computer using consumers looking for protection/detection of viruses. Releasing this is good PR for Karsparski.
posted by rough ashlar at 4:25 AM on January 15, 2013


Spoiler: It's the cook
posted by hellojed at 6:28 AM on January 15, 2013 [2 favorites]


It's most likely, in my opinion, Chinese. My guess is that during the initial stages while they were going at Russia, and they uncovered some exploits and performed the equivalent of a hacker's copy paste.

Also, I think this will be discovered to be privately sponsored. Most of this appears targeted, but due to fact embassies, rather than interior government services, was the most frequently hit, it seems to me the focus was correspondences and not the actual IP.

But this is just my uneducated guess. IP could have been the focus, and they were just not as successful.
posted by Bathtub Bobsled at 6:35 AM on January 15, 2013


Or... Crazy thought...

Seeing as the West outsources so much of its grunt work to China, could it be an operation sponsored by the West, using China as both its labor and another layer of protection to keep their hands clean?
posted by Bathtub Bobsled at 6:38 AM on January 15, 2013


> Spoiler: It's the cook

It was Col. Mustard, in the Library, with MASM. The colonel is cleverer than anyone suspects.
posted by jfuller at 6:40 AM on January 15, 2013 [1 favorite]


Hmm.

tin foil cap, on.

So, this java hole is announced. Then, suddenly, this apparently years old worm that used that hole is "exposed" by Kapersky.

tin foil jockstrap, on.
ow

So, what if that thing was written with Kapersky's help. And, since they know the game is up with that hole, Kapersky "exposes" it and gets that much more reputation. But, funnily enough, they never "detected" it before, because, of course, the Kremlin (with support of the Boy Scouts of America and the Orbital Mind Control Lasers) told them not to detect it.

tin foil off. God, the crinkling noise is the worst part, I swear.
posted by eriko at 7:18 AM on January 15, 2013 [9 favorites]


Any idea if this one is Russian or American though?

Though Red October appears to be Russian, it has a very strong Scottish accent.
posted by Kabanos at 7:19 AM on January 15, 2013 [14 favorites]


Apparently when contacting the command and control servers it checks for connectivity using one ping only.
posted by WinnipegDragon at 7:20 AM on January 15, 2013 [18 favorites]


I don't believe a word anyone says about computer security unless there's some independent evidence.

That's what writing about this stuff for more than twenty-five years does to a chap, I'm afraid.
posted by Devonian at 7:29 AM on January 15, 2013 [1 favorite]


Well, according to the article they are guessing Chinese-originated exploits coupled with native speaking Russian-originated malware.

Some days I love living in a William Gibson novel. :)
posted by Celsius1414 at 9:55 AM on January 15, 2013 [3 favorites]


Though Red October appears to be Russian, it has a very strong Scottish accent.

Give me a ping, Vasili. One ping only, please.
posted by Celsius1414 at 9:56 AM on January 15, 2013 [3 favorites]


Evgeniy Kaspersky was trained by the KGB, so I'm confident in guessing his firm has plenty of contracts with the Russian defense establishment. Curious to learn more about this.
posted by Emperor SnooKloze at 10:59 AM on January 15, 2013


Celsius1414: "Well, according to the article they are guessing Chinese-originated exploits coupled with native speaking Russian-originated malware.

Some days I love living in a William Gibson novel. :)
"

Me too. Worst part about typing in this coffin is staying all hunched over my Hosaka.
posted by Samizdata at 1:48 PM on January 15, 2013 [1 favorite]


eriko: "because, of course, the Kremlin (with support of the Boy Scouts of America and the Orbital Mind Control Lasers)"

Don't forget the reverse vampires.
posted by Chrysostom at 9:39 AM on January 16, 2013


And Colonel Sanders, before he went tits up.
posted by Elementary Penguin at 11:36 AM on January 16, 2013


Elementary Penguin: "And Colonel Sanders, before he went tits up."

What?

The conspiracy to hide Sander's TRUE gender is revealed?

Before the real herbs and spices?

People are going to die now.
posted by Samizdata at 8:21 AM on January 17, 2013


Elementary Penguin is talking about this.
posted by Chrysostom at 8:38 AM on January 17, 2013


Chrysostom: "Elementary Penguin is talking about this ."

I'll confess, I had seen that, but forgot about it.

So, I went on a random conspiracy rant, just like people seem to like to do nowadays.
posted by Samizdata at 12:19 PM on January 18, 2013






« Older To tell the story to someone else...   |   Cap'n Crunch Sous Vide Newer »


This thread has been archived and is closed to new comments