'Red October' malware found snooping on Russian state networks

Russian Internet security firm Kaspersky Labs reports that the newly discovered 'Red October' malware has infected servers worldwide, but Russia and other former Soviet states are the worst hit.

When computer security experts recently discovered the hugely sophisticated and obviously state-sponsored cyberspy worms Stuxnet and Flame, many wondered out loud whether organized criminals might soon get their hands on similar malware tools that can siphon almost any sensitive information from even the best-guarded system. 

The answer may have been staring at them from their computer screens all along. 

On Monday, the Russian Internet security firm Kaspersky Labs announced that it has hunted down a previously unknown, advanced cyber-espionage network that it calls "Red October" (after Tom Clancy's novel), which has probably been vacuuming top-secret data from diplomatic, scientific, and corporate computers around the world since 2007. 

According to the firm, the network is still active. 

"Red October operations started five or more years ago, and during that time attackers went unnoticed," says Igor Soumenkov, a malware expert with Kaspersky Labs. "That is why discovery of other attacks of the same class is possible, and we do expect it." 

But unlike Stuxnet and Flame, which were almost certainly cyberweapons deployed by the United States and its allies against adversaries like Iran, victims of the new Red October malware, or Rocra for short, span the globe.

Kaspersky says in its report that it began investigating the network after a tip from an anonymous partner, and has so far identified hundreds of infections worldwide, all of them in top locations such as government networks, diplomatic institutions, nuclear and aerospace agencies, and international trade groups. 

The largest number of attacks – almost 100 – have struck computers in Russia and the former Soviet Union. But, Kaspersky says, "there are also reports coming from North America and Western European countries such as Switzerland or Luxembourg." 

The attackers designed custom software to attack particular computer systems, experts say, using "unique modular architecture" comprising malicious extensions, data-grabbing modules, and backdoor trojans. Information extracted was often reused to gain entrance to other systems, by making it easier for the hackers to guess passwords and bypass security barriers. 

'Mothership' cloaked

The network of infected computers was controlled by a vast infrastructure created by the attackers, including more than 60 domain names and server hosting locations in several countries, mainly Russia and Germany. Kaspersky says the network was cleverly camouflaged to hide the location of the "mothership" control server. 

The level of Red October's sophistication is comparable to the best state-sponsored efforts, such as Stuxnet and Flame, but could conceivably be the work of rogue operatives from the criminal world, says Mr. Soumenkov. 

"This is the first attack that can be compared, judging by its complexity, with state-sponsored attacks like Flame," he says. 

"But at the same time it can hardly be referred to as state-sponsored. It is unknown whether the collected data was used by attackers themselves, or was sold to other interested parties.... We are talking about the most sensitive types of data like confidential documents, e-mail exchanges, contact information. Scientific information was targeted as well, judging by the profiles of some victims," he adds. 

While declining to name any culprits as yet, Kaspersky says based on several factors, including "numerous artifacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins." 

They also suggest that Chinese hackers may have been involved in setting up the network. 

"It's probably not correct to say that this threat comes from Russia," says Alexei Lukatsky, a consultant for CISCO in Russia. 

"The servers are situated in Russia and in Germany, but when we're talking about hosting servers, any company or any person from any part of the world can actually do it. The Internet has no borders....  The same is true about the claim of Chinese traces. The only context where Chinese experts can be mentioned here is the fact that the vulnerabilities used for this type of programs were identified first by Chinese specialists," Mr. Lukatsky says. 

This is the second time Kaspersky has uncovered a major global cyberthreat, which could raise questions among the suspicious-minded about whether it may be acting as a cat's paw, or even agent, for Russian intelligence interests. Its exposure of Flame last year was probably quite untimely from the US point of view. 

"It strikes me as odd that this was exposed by a private company working on a private order," says Alexei Kondaurov, a former KGB major general. "Where are FAPSI [the former Russian equivalent of the US National Security Agency], the CIA, and other agencies that are supposed to be on top of these threats? Maybe Kaspersky is interested in advertising itself, and that's why there's so much noise about this?" 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to 'Red October' malware found snooping on Russian state networks
Read this article in
https://www.csmonitor.com/World/Europe/2013/0115/Red-October-malware-found-snooping-on-Russian-state-networks
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe