The "Red October" Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Governme

The "Red October" Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies

w ww.securelist.com

During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

Kaspersky Lab's researchers have spent several months analyzing this malware, which targets specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

(visit the link for the full news article)

Really dunno what to say this seems big. Just bringing the news to you guys, maybe you can give a better opinion out of this. Who do you guys think is behind this?

Seems they are not to interested in the U.S. but at the same time this could be because it a U.S. project. Most the countries seem to have or have had Soviet ties.

w ww.securelist.com
(visit the link for the full news article)

Well, the KGB became the SVR in it's most recent version. FSB is their internal security like the American FBI on steroids ..but the SVR is the one running espionage operations in North America. There have been defectors in the last decade or more try to warn us too. They've tried to tell us the activity has INCREASED not gone down since the Soviets became Russians again.

Sounds like they were onto something in trying to warn us all out here......the Bear may look like a Panda but it still has the disposition of a Grizzly.

reply to post by ashtonhz8907


Oh you beat me to it! I'm literally writing my thread up now, which I guess I can delete



This is absolutely bananas! As you read above for at least 5 years high profile individuals, who have not been named, were specifically targeted by hackers/spies to extract all of their data from their computers, USB drives, mobile phones, tablets, you name it! Who was doing this? Well, the security company that uncovered this suggests the spies are of Russian origin due to Russian language being discovered, ie Russian slang non native speakers generally don't know, and some of the collection servers were found to be in Russia although others were also found in Germany. But the company also suggests the Russian connection could very well be a Red Herring and really doesn't know who is beyond this complex computer hacker spy ring.

If you guys thought the Java security was an issue you ain't seen nothing yet!

I suggest you all read the Wire.com article for a good time!

Cybersleuths Uncover 5-Year Spy Operation Targeting Governments, Others | Wired

“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”

The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu.

The malware the attackers use is highly modular and customized for each victim, who are assigned a unique ID that is hardcoded into the malware modules they receive.

“The victim ID is basically a 20-hex digit number,” Raiu says. “But we haven’t been able to figure out any method to extract any other information from the victim ID…. They are compiling the modules right before putting them into the booby-trapped documents, which are also customized to the specific target with a lure that can be interesting to the victim. What we are talking about is a very targeted and very customized operation, and each victim is pretty much unique in what they receive.”

Each module is designed to perform various tasks — extract passwords, steal browser history, log keystrokes, take screenshots, identify and fingerprint Cisco routers and other equipment on the network, steal email from local Outlook storage or remote POP/IMAP servers, and siphon documents from the computer and from local network FTP servers. One module designed to steal files from USB devices attached to an infected machine uses a customized procedure to find and recover deleted files from the USB stick.

A separate mobile module detects when a victim connects an iPhone, Nokia or Windows phone to the computer and steals the contact list, SMS messages, call and browsing history, calendar information and any documents stored on the phone.

Based on search parameters uncovered in some of the modules, the attackers are looking for a wide variety of documents, including .pdf files, Excel spreadsheets, .csv files and, in particular, any documents with various .acid extensions. These refer to documents run through Acid Cryptofiler, an encryption program developed by the French military, which is on a list of crypto software approved for use by the European Union and NATO.

Kaspersky says the campaign is much more sophisticated than other extensive spy operations exposed in recent years, such as Aurora, which targeted Google and more than two dozen other companies, or the Night Dragon attacks that targeted energy companies for four years.

“Generally speaking, the Aurora and Night Dragon campaigns used relatively simple malware to steal confidential information,” Kaspersky writes in its report. With Red October, “the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now.”

The infection occurs in two stages and generally comes via a spear-phishing attack. The malware first installs a backdoor onto systems to establish a foothold and open a channel of communication to the command-and-control servers. From there, the attackers download any of a number of different modules to the machine.

Raiu says the command-and-control servers are set up in a chain, with three levels of proxies, to hide the location of the “mothership” and prevent investigators from tracing back to the final collection point. Somewhere, he says, lies a “super server” that automatically processes all of the stolen documents, keystrokes and screenshots, organized per unique victim ID.

“Considering there are hundreds of victims, the only possibility is that there is a huge automated infrastructure which keeps track of … all these different dates an which documents have been downloaded during which timeframe,” Raiu says.”This gives them a wide view of everything related to a single victim to manage the infection, to send more modules or determine what documents they still want to obtain.”

reply to post by Swills


You're free to add more info I just saw this and didn't see anyone else with a thread. Thought it would be something ATSers could dig into so dropped it in here for discussion.

“Inside the modules they are using several Russian slang words. Such words are generally unknown to non-native Russian speakers,” Raiu says.

Lol and? Anyone who passed elementary school should be smart enough to have their code point at someone else in case they get caught.

Seems the hack is Chinese but they tailored it for themselves whoever they are.

Although the attackers appear to be Russian speakers, to get their malware onto systems they have been using some exploits — against Microsoft Excel and Word — that were created by Chinese hackers and have been used in other previous attacks that targeted Tibetan activists and military and energy-sector victims in Asia.

Originally posted by ashtonhz8907

“Inside the modules they are using several Russian slang words. Such words are generally unknown to non-native Russian speakers,” Raiu says.

Lol and? Anyone who passed elementary school should be smart enough to have their code point at someone else in case they get caught.

The company is stating the facts and also said that all could very well just be a ruse to further disguise the spies behind this. I believe it is the latter. This is one sophisticated operation and I'm sure no loose ends could be uncovered so easily. One question remains, who would benefit the most from spying on the individuals and companies/research facilities listed above? Whether a nation state is doing the spying or rogue spies are doing it, in the end, who does this information benefit the most?

reply to post by Swills


Lol, yeah I just finished the full articles I'm reading it myself as I broke it here.

reply to post by Swills


I guess the graphic makes it pretty obvious that China is not listed in Red. HHmmm. The country that manufactures most of the world's computers and chips was not attacked by the hackers that were seeking intelligence data from governments, industries and individuals. What a coincidence?

I'm not good at making connections but for you guys that are:

(Map based)
Belarus
Russia
Kazakhstan
United Arab Emirates
Azerbaijan

Seem to be the ones that have most of their activities being monitored, the rest just seem to be political targets.

And a list by infections:

RUSSIAN FEDERATION 35
KAZAKHSTAN 21
AZERBAIJAN 15
BELGIUM 15
INDIA 14
AFGHANISTAN 10
ARMENIA 10
IRAN; ISLAMIC REPUBLIC OF 7
TURKMENISTAN 7
UKRAINE 6
UNITED STATES 6
VIET NAM 6
BELARUS 5
GREECE 5
ITALY 5
MOROCCO 5
PAKISTAN 5
SWITZERLAND 5
UGANDA 5
UNITED ARAB EMIRATES 5

reply to post by exitusstatuquo


No doubt about it, China could very well be suspect but at this point it's impossible to know who really is behind this mastermind scheme of James Bond proportions. The NSA, CIA, and DHS are probably very jealous, but then again America was barely attacked as well.

reply to post by Swills


You could add this image to your post, larger so others can get in and see whats up.

www.securelist.com...

I meant as far as resolution as a replacement for the one already there, just trying to help.

reply to post by ashtonhz8907


I already added it to my first post because everyone loves pictures!

Nah, you don't wanna go any bigger. Everyone is just gonna have to click on the source to get a better look

Hmmm so high profile people.... That to me does not just sound like politicians. To me it sounds like it could be China who have one of the biggest cyber military in the world.

But then again it could be from the US I can imagine a few people that are considered 'High Profile' within the US that its own government would like to spy on, But that to me just does not seam plausible, not really the style of the US plus the amount of wire-tapping that already goes on seam unnecessary for them to engineer this amazing social/software hack.

I don't think the Russians are that stupid to leave a blatant clue like that hanging around. I think it is China. That saying if it is a country, it could be after all just a team of hackers.

Norway
Sweden
China
UK
Canada

All unaffected. Wonder why?

Yeah these are just the ones known about, the article pretty much says this could be the tip of the iceberg. For all we know the most monitored country is one that's not listed. Me being me I would say maybe this hack is a cover and they could be deeper, although this seems pretty deep itself already.

Originally posted by exitusstatuquo
reply to post by Swills

 

I guess the graphic makes it pretty obvious that China is not listed in Red. HHmmm. The country that manufactures most of the world's computers and chips was not attacked by the hackers that were seeking intelligence data from governments, industries and individuals. What a coincidence?

First, how would you know what went on in China. I am sure that www.securelist.com do not have access to China computer security data. Going from your view it could be Canada or Mexico as well but you want to point at China. Says more about who you want it to be.

P

I just hope they are able to spill the beans of what they have found out and we can finally start straightening out the world..

It could be a country. If it is, they would make sure it looked as if they were targeted as well. No one is that stupid. I would put Israel on the list of the usual suspects but remember that many smaller countries can all work with computers. If you dedicate resources over a few decades you can get there. Iran comes to mind as does the USA, China, Russia and I would not leave out France.

It could be organized crime. Either the information gathered could be on sold or the information could be used in a ransom demand. Russian Mafia, Chinese crime syndicates etc etc.

It could be a Multinational Corporation. There are many, sometimes it is difficult to separate these from organized crime outfits.

Where ever the trail leads, look else where. These are very bright people. They will not leave a trail of breadcrumbs.

P

Well Bush really liked the Columbia Intelligence Agency he even went there and praised them as he offered helicopter and aircraft parts along with spy tech. But then that whole spy agency was dismantled for being corrupt. And then shortly afterwards you have Obama Secret Service agents setup by prostitutes. And then you had Turkey fire all the generals and busted a spy ring while the head of the Turkish military was at the White House and at the Pentagon for a week or so while those raids took place.

Turkey is on that map as being spied on Columbia is not. And it is interesting that China, UK and Japan are not on the list.

After reading some information on this. Poland could be the country behind it.

I hope whatever was found will make it's way to the public eye