‘Red October’ cyber-attack found by Russian researchers

A major cyber-attack that may have been stealing confidential documents since 2007 has been discovered by Russian researchers.

Report by BBC Online

Kaspersky Labs told the BBC the malware targeted government institutions such as embassies, nuclear research centres and oil and gas institutes.

It was designed to steal encrypted files – and was even able to recover files that had been deleted.

One expert described the attack find as “very significant”.

“It appears to be trying to suck up all the usual things – word documents, PDFs, all the things you’d expect,” said Prof Alan Woodward, from the University of Surrey.

“But a couple of the file extensions it’s going after are very specific encrypted files.”

In a statement, Kaspersky Labs said: “The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.

“The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.”

‘Carefully selected’

In an interview with the BBC, the company’s chief malware researcher Vitaly Kamluk said victims had been carefully selected.

“It was discovered in October last year,” Mr Kamluk said.

“We initiated our checks and quite quickly understood that is this a massive cyber-attack campaign.

“There were a quite limited set of targets that were affected – they were carefully selected. They seem to be related to some high-profile organisations.”

Red October – which is named after a Russian submarine featured in the Tom Clancy novel The Hunt For Red October – bears many similarities with Flame, a cyber-attack discovered last year.

Like Flame, Red October is made up of several distinct modules, each with a set objective or function.

“There is a special module for recovering deleted files from USB sticks,” Mr Kamluk said.

“It monitors when a USB stick is plugged in, and it will try to undelete files. We haven’t seen anything like that in a malware before.”

Also unique to Red October was its ability to hide on a machine as if deleted, said Prof Woodward.

“If it’s discovered, it hides.

“When everyone thinks the coast is clear, you just send an email and ‘boof’ it’s back and active again.”

Cracked encryption

Other modules were designed to target files encrypted using a system known as Cryptofiler – an encryption standard that used to be in widespread use by intelligence agencies but is now less common.

Prof Woodward explained that while Cryptofiler is no longer used for extremely sensitive documents, it is still used by the likes of Nato for protecting privacy and other information that could be valuable to hackers.

Red October’s targeting of Cryptofiler files could suggest its encryption methods had been “cracked” by the attackers.

Like most malware attacks, there are clues as to its origin – however security experts warn that any calling cards found within the attack’s code could in fact be an attempt to throw investigators off the real scent.

Kaspersky’s Mr Kamluk said the code was littered with broken, Russian-influenced English.

“We’ve seen use of the word ‘proga’ – a slang word common among Russians which means program or application. It’s not used in any other language as far as we know.”

But Prof Woodward added: “In the sneaky old world of espionage, it could be a false flag exercise. You can’t take those things at face value.”

Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses. In simpler terms, this means that large numbers of computers were infected in single locations – possibly government buildings or facilities.

A 100-page report into the malware is to be published later this week, the company said.


8 Responses to ‘Red October’ cyber-attack found by Russian researchers

  1. color secret recipe of fashion handbags January 22, 2013 at 1:54 pm #

    I know that there are countless plug-ins designed to make the comments do-follow, but I’m looking for something that will make the links in the blog-posts themselves do-follow. Please include a link or detailed instructions on how to do this. Thanks!. Do you have any examples of themes that you know for a fact have do-follow links in the posts? I’m having a hard time finding good information about this by searching..

  2. Hermes Birkin Bag Style Satchel Handbag January 23, 2013 at 9:03 pm #

    intext:”Enter this code to prove you are not a robot:”

  3. borsa louis vuitton January 24, 2013 at 7:25 pm #

    Just to let you know, this content looks a little bit weird from my android phone. Who knows maybe it definitely is just my phone. Great post incidentally.

  4. some cheap leather bags just for you January 24, 2013 at 11:32 pm #

    I had this page saved a while previously but my computer crashed. I have since gotten a new one and then it took me a while to find this! I also actually like the template though.

  5. make money online January 25, 2013 at 1:18 pm #

    EasyBinaryCash.com – Learn how to make 1000’s of dollars a month from home. The secret to make money online is reveled here. Binary Options is the way to make money online!

  6. Link manager LinkMan January 26, 2013 at 3:07 pm #

    Thank you a bunch for sharing this with all folks you really realize what you’re talking about! Bookmarked. Please also visit my site =). We can have a link trade contract between us

  7. seo katalog January 29, 2013 at 5:08 am #

    I love your wp template, exactly where would you obtain it from?

  8. check this out March 3, 2013 at 6:04 am #

    Your site surely does display appropriately on my iphone – terrific results!

© 2015 NewsDay Zimbabwe. All Rights Reserved.

DMMA logo