15
2013
Red October, latest superspy virus
Kaspersky has uncovered a new, far-ranging cyberspying campaign that targets government secrets. The firm has tantalizing named the malicious software behind the attack “Red October,” a nod to the famous Tom Clancy novel.
Red October has been attempting to steal critical, secret documents since at least 2007, Kaspersky said in a report posted to its website Monday. It’s designed to defeat a common encryption scheme that’s used by NATO and government agencies, Kaspersky says. It’s also capable of stealing data from mobile phones, and has a “resurrection” module that allows the program to reinstall itself even if detected and removed.
“During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment,” Kaspersky says in its report.
Kaspersky, which has found several similar cyberattacks over the past two years, didn’t identify the original source of its discovery, or the identity of organizations infected by the program. The firm said it is working the US-CERT, the cybersecurity arm of the U.S. government, and other national cyber-defense teams to continue its investigation and to help mitigate the attacks.
Kaspersky has made a name for itself by disclosing a series of programs that appear to be part of focused cyberattacks against government entities, beginning with the infamous Flame virus, allegedly designed to attack computers inside Iran. It doesn’t matter where the virus comes from, who made it, or what its purpose is, they are going to reveal it.
Red October infections aren’t widespread, the firm says — only “several hundred” have been found so far. But the virus isn’t designed for high infection rates, but rather to spy on specific, high-value targets, it said. The highest infection rates were in Russia, Kazakhstan and Azerbaijan, Kaspersky said, suggesting Eastern Europe and former Soviet republics were the main targets of the virus writers. There were a handful of infections in Belgium, the U.S., and Switzerland, however, hinting that the virus writers might not be driven by geopolitics, but the almighty dollar.
In fact, unlike Flame, Kaspersky said there is no evidence that a nation-state is behind the program, leading it to speculate that for-profit hackers were behind it.
“Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere,” the firm said in a report.
The firm also said it saw no connection between the authors of Flame and Red October.
The program itself is a bit of a Frankenstein, borrowing code and attack strategies from earlier viruses. Spear-phishing emails — specially crafted, booby-trapped emails designed to infect a single user — opened the door to victims’ machines, and were copied from attacks used against Tibetan activists, it said. Other code in the virus suggests the writers borrowed heavily from Chinese hackers, too. Vulnerabilities used to actually control the target machine were borrowed from Conficker, discovered in 2008, which remains one of the most widespread viruses over the past five years. Its origin has never been definitively determined, but many researchers speculate it was written by Ukrainians. But the program itself uses several Russian words, and Kaspersky believes its authors were Russian speakers.
Also telling: When hackers get control of a target machine, and obtain a command prompt which can be used to issue commands, it is ordered to render Cyrillic fonts — used in the alphabets of Russia and other languages in parts of the Balkans and Northern Eurasia.
That doesn’t mean Red October was created by Russians, however.
Red October — so named because of the Russian words discovered in the virus code — has several other unique characteristics suggesting the authors were attempting a wide-ranging espionage campaign. For example, infected computers constantly searched for users connecting a smartphone, after which the virus would raid the device for useful information.
“Once connected, (Red October is instructed to) retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history,” the report says.
The virus also searches constantly for connection of a USB thumb drive and, once detected, scans that device for files to steal, too.
Cyberwarfare, including digital espionage such as that allegedly carried out by Red October, has been long predicted by computer security experts. A number of high-profile discoveries recently appear to be confirming those predictions. The most famous is Stuxnet, discovered in June 2010, which targeted Iranian critical infrastructure and was ultimately attributed to Israeli and American programmers by the New York Times. Kaspersky did not initially discover Stuxnet — a small Belarusian firm is credited with that — but it did issue the first detailed report on Stuxnet’s capabilities.
H.D. Moore, chief security officer of security firm Rapid7 and creator of the popular security testing software Metasploit, told NBC News on Monday that he was able to independently confirm some of what Kaspersky said in its report, including identifying several so-called “command and control” servers used by Red October hackers to contact compromised machines.
This is not on the same level as the Flame virus,” he said, “but it does some scary things.”
Among the capabilities that interested Moore: Red October’s ability to undelete files that had been deleted from USB drives. That creates all sorts of potential nightmares for security professionals at high-security agencies.
“We hadn’t seen that before in malware,” Moore said. “The threat is that USB drives are often shared between people, especially at conferences. Even if you take precautions to delete files and you trust the person you are sharing this with, this malware would be able to automatically recover deleted files and siphon them off without either party being aware.”
Other techniques in the virus show it was designed mainly “to gather as many documents as possible,” rather than attempting to infiltrate a single machine or steal a single file. Given the wide net cast by Red October, which was hardly subtle, Moore said he was “surprised it got as far as it did” before being discovered.