A high-level cyber espionage campaign that successfully infiltrated computer networks at diplomatic, governmental and scientific research organisations has been detected.
According to Kaspersky Lab, for the last five years the campaign has been conducted by Russian-speaking attackers that targeted users in Eastern Europe, members of the former USSR and countries in Central Asia, Western Europe and North America.
Named Red October, or Rocra for short, Kaspersky Lab said that it is still active, with data being sent to multiple command-and-control (C&C) servers, which work as proxies and hide the location of the true C&C server. It said that the attackers created more than 60 domain names and several server hosting locations in different countries, although mainly in Germany and Russia.
What is different about this framework is that it uses at least three different exploits for previously known vulnerabilities: CVE-2009-3129 in Microsoft Excel; CVE-2010-3333 in Microsoft Word; and CVE-2012-0158 (also Word).
It said that the attackers created a multi-functional framework, capable of applying a quick extension of the features that gather intelligence. It said that the system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
It is capable of stealing data from mobile devices and removable disk drives, stealing email databases from local Outlook storage or remote POP/IMAP servers and siphoning files from local network FTP servers.
Kaspersky Lab claimed that Rocra infects by using spear phishing tactics and, once in, a module actively scans the local area network, and finds hosts vulnerable for MS08-067 (the vulnerability exploited by Conficker) or which are accessible with administrator credentials from its own password database. Another module collects information to infect remote hosts in the same network.
Detected in October 2012, Kaspersky Lab said that it had counted several hundreds of infections worldwide, with the most (38) in Russia. It believed that the exploits appear to have been created by Chinese hackers, while the Rocra malware modules were created by Russian-speaking operatives. It also said that there were more than 1,000 modules belonging to 30 different module categories, with some created as far back as 2007.
It said: “The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used.
“All the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are customised to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside.”
It also said that while there were similarities to the Flame virus, it could not find any connections between Rocra and the Flame/Tilded platforms.