Following a series of attacks against computer networks targeting international diplomatic service agencies, experts at Kaspersky Lab initiated an investigation in October last year. What they have unearthed looks like a massive large scale cyber-espionage network campaign targeting diplomatic, governmental and scientific research organisations in several countries for at least five years. Termed as Operation Red October, or Rocrat, the Kaspersky investigation reveals that it’s still active as of January 2013.
The investigation reveals that the attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries around the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The attackers have devised their own malware identified as “Rocra” that comprises of malicious extensions, info-stealing modules and backdoor Trojans.
The countries infected
Explaining the modus-operandi, it states that to infect the systems, the attackers sent a targeted spear-phishing email to a victim that included a customised Trojan dropper. In order to install the malware and infect the system, the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced it with their own code.
The investigation reveals that the attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled into a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the ‘mothership’ control server.
What’s also a cause of concern is the fact that in addition to targeting traditional workstations, the malware can siphon data even from mobile devices (iPhone, Nokia and Windows mobile). It stated further that the malware is also capable of stealing configuration information from enterprise network such as routers and switches (Cisco), as well as deleted files from removable disk drives.
The countries that have been found to be infected are mostly distributed in Eastern Europe, with the highest numbers of infections detected in Russia followed by Kazakhstan, while 14 infections were found in India. All of them have occurred in top locations such as government networks and diplomatic institutions. The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence.
While the investigators haven’t been able to identify the attackers or identify the location, they point to tow important factors, firstly the exploits appear to have been created by Chinese hackers and secondly, the Rocra malware modules have been created by Russian-speaking operatives. There is, however, currently no evidence linking this with a nation-state sponsored attack. The complete report can be accessed here.