Cyberbusting security firm Kaspersky Lab has discovered a previously unknown and potent cyberweapon it believes has been pilfering large amounts of data from diplomatic and government agencies in former Soviet republics, Eastern Europe and Central Asia since 2007.
After a remarkable run uncovering shady cyberweapons in the last two years, the recent discovery of ‘Red October’(or ‘Rocra’ for short) looks like another example of ‘gotcha’ for the Russian firm.
The choice of name (after Tom Clancy’s Reagan-era Cold War novel) is a dramatic device that doesn’t look entirely out of place when you read Kaspersky’s evidence.
First, Red October is modular (30 in total), reasonably complex in design (1,000 files with 115 creation dates in just over 2 years), targets multiple environments (several mobile platforms as well as PCs), and had a command and control network that ran to 60 domains, all elements that strongly point to this being a cyberweapon and not a criminal enterprise.
Although small-scale, it also evaded detection since at least 2007, a run of good luck that means its code wasn’t related to commercial malware and which would have seen it picked up by antivirus software long ago.
The biggest giveaway looks like the data it was trying to steal, including a long list of data types but also something called ‘Acid Cryptofiler’, a secure format Kaspersky said has been used by the EU and NATO since as recently as 2011. When it stole credentials these were re-used in later attacks.
The malware reached its targets using phishing attacks via email, hitting software vulnerabilities in Microsoft Office and Excel.
The 300 or so victims found include a wide list of countries; North America, Europe, but mainly Eastern Europe and former Soviet republics – 35 infections were detected in the Russian Federation alone.
There were signs of haste, or adaptability, depending on how you interpret it. Red October’s attackers had re-used exploit code hitting one a software vulnerability using code that had Chinese origins. Given that this was publically known, this might be seen as risking exposure.
That is not old-school NSA; these guys were sometimes in a hurry to get their work done.
Evidence of complexity? Apart from the sheer scale and ambition of this malware, it used some very odd tactics such as having a ‘resurrection’ mode that allowed the attackers to turn the malware back on using a crafted Adobe or Office document should the original malware be discovered or its exploits patched.
If it barks like a cyberweapon, it’s generally a cyberweapon. So who might be behind Red October and with what political motivation?
Kaspersky drops a few hints, starting with the malware’s name in its antivirus database, Backdoor.Win32.Sputnik, and perhaps its Red October nickname of course (the metaphor of a rogue Soviet submarine is illuminating). There were also clues that its creators spoke Russian.
That narrows it down to native Russians or, more remotely, Russian-speaking immigrant Jews somewhere like Israel. Whoever built this software wanted to keep long-term tabs on the military-governmental complex in countries once allied to Russia and their often new allies across the globe.
“Once again, it [Red October] raises the question around what else is already out there that we are not aware of,” commented Jarno Limnell of Finnish security specialist Stonesoft.
“Red October” is also a good example of how much activity is happening on a daily basis in the cyber world. It is reminiscent of the way spies used to work during the Cold War. Here is a sophisticated attack that has infiltrated security systems without detection, which then sat there silently, working away and sending back all kinds of valuable intelligence to its controllers,” he said.
“Cyber has been established as the new battlefield and governments, NGOs and commercial organisations need to recognise that, attacks like “Red October”, are becoming the new norm. With regards to cyber-espionage; everybody is doing it. The question is, who is doing it in the best way?”
This is the immense power of cyberweapons, which could also be described as information-gathering systems used for political ends. They can trace the intricate web of relationships and exchanges made between countries that would be impossible using visible evidence alone.
Where the bits and bytes go, so money, goods, services and people and power follow. Where these flows end up, the cyberspooks gravitate towards. They are glamorous for now but also dispassionate.
My enemies’ friends are my enemies too. But they are also my economic partners so the world isn’t ever as simple as the maxims suggest. Bettter to watch everyone even if they are staring back just as intently.