Red October espionage platform begins shutting down after exposure on Monday

// January 21st, 2013 // Hacking and Security



The Operation Red October espionage campaign was exposed on Monday (1/14/13) by Russian anti-virus software maker Kaspersky Lab.  The Red October network was found to target hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation (the most frequent target), Iran, Kazakhstan, Azerbaijan, Belgium, India, Afghanistan, Armenia, Turkmenistan, and the United States. It uses more than 60 domain names with multiple layers of proxy servers (to camouflage its core operations) and automatically creates an extension for Adobe Reader and Microsoft Word that provides hackers with a “foolproof” way to regain control of a compromised machine should the malware payload ever be removed.   It was found that Red October has been running since 2007, presumably without discovery by governmental agencies.  The main purpose of the campaign is to gather classified information and geopolitical intelligence. According to Ars:

“It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran.”

It was reported that the malware builders spoke Russian but many of the exploits were developed originally by Chinese hackers.  Its origin in still unknown.  The malware was found to contain 1,000 separate modules, each with a specific function, in 30 module categories allowing for a unique, tailored combination of components to target specific machine configurations.  The modules were found to include functions to extract passwords, steal browser history, log keystrokes, take screenshots, identify and fingerprint Cisco routers and other equipment on the network, steal email from local Outlook storage or remote POP/IMAP servers, siphon documents from the computer and from local network FTP servers, steal files from USB devices attached to an infected machine, find and recover deleted files from the USB stick, steal contact lists, swipe SMS messages, retrieve call and browser history, grab calendar appointments, etc.  Infections typically come from spear-phishing attacks where the malware first installs a backdoor onto systems to establish a foothold and open a channel of communication to the command-and-control servers. From there, the attackers download any of a number of different modules to the machine, tailored to the system’s configuration.

The network’s command-and-control servers are set up in a chain, with three levels of proxies, to hide the location of the “mothership” and prevent investigators from tracing back to the final collection point. Somewhere within the network lies a “super server” that automatically processes all of the stolen documents, keystrokes and screenshots, organized per unique victim ID.  Kaspersky has yet to identify the main control server.

Kasperky labs provided a bit of detail on how the malware operated:

“Each infection is indexed by a unique ID that’s assigned to the compromised machine. The identifier helps to ensure that each attack is carefully tailored to the specific attributes of the victim. For example, the initial documents designed to lure in a potential victim are customized to make them more appealing. Every single module is specifically compiled for the victim with a unique victim ID inside. What’s more, when connecting to the control channel, backdoors identify themselves with a specific string that appears to be the victim’s unique ID. Presumably, this allows the attackers to distinguish between the multitudes of connections and perform specific operations for each victim individually.”

UPDATE 1/21/13


Five days after the announcement of its discovery, it was discovered that many of the domains and servers have begun shutting down.  According to Kasperky:

“It’s clear that the infrastructure is being shut down. Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation.”

The discovery of Red October opens yet another chapter in the just-begun era of highly advanced espionage malware that already included Duqu, Aurora, Night Dragon, Flame, and Gauss.

Technical details

As always, Kaspersky has released detailed information about the attack vector.  Below are the most important aspects of the attacks.

The loader, most common known path/names:

%PROGRAMFILES%\Windows NT\svchost.exe
%PROGRAMFILES%\Windows NT\svclogon.exe

Note: the malware dropper writes “svchost.exe” or “svclogon.exe” into the first available path from the list below. To correctly identify an infected system, Kaspersky recommends checking all of the paths listed below.

%ProgramFiles%\Windows NT\
%ProgramFiles%\Windows NT\Accessories\
%ProgramFiles%\Windows NT\Pinball\
%ProgramFiles%\Windows Media Player\
%ProgramFiles%\Web Publish\
%ProgramFiles%\Outlook Express\
%ProgramFiles%\Microsoft Office\Office10\Data\
%ProgramFiles%\Microsoft Office\Office10\
%ProgramFiles%\Microsoft Frontpage\
%ProgramFiles%\Internet Explorer\
%ProgramFiles%\ComPlus Applications\
%CommonProgramFiles%\Microsoft Shared\MsInfo\
%CommonProgramFiles%\Microsoft Shared\Office10\
%CommonProgramFiles%\Web Folders\
%CommonProgramFiles%\Web Server Extensions\
%SystemDrive%\Documents and Settings\LocalService\Application
%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application
%ALLUSERSPROFILE%\Application Data\
%ALLUSERSPROFILE%\Application Data\Microsoft\
%ALLUSERSPROFILE%\Application Data\Microsoft\Office\
%ALLUSERSPROFILE%\Application Data\Microsoft\Office\Data\
%ALLUSERSPROFILE%\Application Data\Microsoft\Windows\
%HOMEPATH%\Local Settings\

The main backdoor encrypted body, known filenames (same location on disk as “the loader”):


Here are some of the Command and Control servers used by the Red October malware:

And here is a list of IP addresses that are commonly used in the attacks:

Kaspersky Lab has released a whitepaper with complete details on the attacks including Snort rules you can use to detect and analyze the network traffic coming from the malware.


Sources: CNN, Ars, Wired Magazine

« « Previous Article: Original Batmobile sold at auction for $4.6 million to a Batman fan     » » Next Article: Terminally ill 23-year-old man dies after Reddit-backed around-the-world trip

Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: