A five-year operation that has links to both the Chinese and Russians has focused on stealing diplomatic, industrial and scientific data from organizations based mainly in Eastern Europe and Asia, security firm Kaspersky Lab said in a report published Jan. 14.
The operation—dubbed Red October, or Rocra, for short—used more than 60 secondary command-and-control servers in Germany, Russia and other countries to hide the location of the attackers. The series of attacks, which appear to have started in 2007, could be an intelligence-gathering operation launched by some nation or a cyber-criminal campaign aimed at stealing valuable data. Unlike previous attacks, which appeared to be launched by Western nations or as retribution by Iran, the latest campaign appears to have a different set of characteristics, Kaspersky wrote in its analysis.
“The information we have collected so far does not appear to point toward any specific location; however, two important factors stand out: The exploits appear to have been created by Chinese hackers, (and) the Rocra malware modules have been created by Russian-speaking operatives,” the company stated.
The attacks have focused on organizations in the Russian Federation, Kazakhstan, Azerbaijan, Belgium, India, Afghanistan, Armenia and other nations. Kaspersky identified 10 or more victims in each of those countries.
Over the past five years, the operation has collected sensitive information from hundreds of victims, stated the company, which first discovered signs of the campaign in October 2012, when a partner asked Kaspersky to analyze an attack. In total, the security firm has identified more than 1,000 different modules, each of which performed specific activities—sometimes tailored—on the victim’s system.
Unlike previous attacks, the Rocra operation seemed to use a much more customized and manual process, Kaspersky Lab stated.
“For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside (and) later, there is a high degree of interaction between the attackers and the victim,” the company said. “Compared to Flame and Gauss, which are highly automated cyber-espionage campaigns, Rocra is a lot more ‘personal’ and finely tuned for the victims.”
The attackers also made some interesting design decisions, breaking the software into tasks, many that continually run on a system looking for the proper trigger condition to activate. Some tasks, for example, wait for a mobile phone to connect to the compromised systems and then steal information from the device, while other tasks occasionally connect to all reachable mail servers to download messages.
The attackers used exploits for previously known vulnerabilities used in other attacks, most notably, suspected Chinese operations against Tibetan and pro-democracy activists.
Kaspersky Lab stressed that there is no evidence that links the attacks to nation-states, and suggested that another possibility would be criminal information brokers stealing state secrets and selling them on the black market.
“The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states,” the company pointed out in the analysis. “Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere.”