Kaspersky Uncovers Red October Malware Campaign

Since October of last year, Kaspersky Lab researchers have been analyzing a malware campaign that’s been targeting mobile devices, computer systems and network equipment at diplomatic, governmental and scientific research organizations worldwide.

“The campaign, identified as ‘Rocra,’ short for ‘Red October,’ is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware,” Kaspersky Lab reports. “Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.”

“Detected in October 2012, Kaspersky Lab said that it had counted several hundreds of infections worldwide, with the most (38) in Russia,” writes SC Magazine’s Dan Raywood. “It believed that the exploits appear to have been created by Chinese hackers, while the Rocra malware modules were created by Russian-speaking operatives.”

“The malware is sent via a spear-phishing email which, according to the firm, targets carefully-selected victims with an organisation,” writes ZDNet’s Charlie Osborne. “Containing at least three different exploits in Microsoft Excel and Word, the infected files, once downloaded, [drop] a trojan on to the machine which then scans the local network to detect if any other devices are vulnerable to the same security flaw.”

“The main purpose of the campaign is to gather classified information and geopolitical intelligence,” writes Ars Technica’s Dan Goodin. “Among the data collected are files from cryptographic systems such as the Acid Cryptofiler, with the collected information used in later attacks. Stolen credentials, for instance, were compiled and used later when the attackers needed to guess secret phrases in other locations.”

“While Kaspersky would not go so far as to call it a nation-state campaign, the resources behind the attackers and the targets they chose — which also included oil and gas companies, aerospace, nuclear research, and trade and commerce organizations — would indicate an interest in a particular type of information,” writes Threatpost’s Michael Mimoso. “Most of the victims were specific organizations in Eastern Europe, former USSR nations and countries in Central Asia. Some attacks were also noticed in Western Europe and North America, Kaspersky said.”

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles