There are plenty of cyberweapons floating around out there, like Stuxnet, Flame and that whole gang. Now, Kapersky has turned up a cyber-espoinage operation it has dubbed “Red October”, and it’s up there in the big leagues. But unlike its cohorts, it doesn’t look State-sponsored. This is a freelance job, and it’s professional grade.
While Red October has only recently been discovered, it’s been working behind the scenes for a long time. According to its domain names and various details dug up from the executable code, it’s been doing its thing since 2007, if not earlier. And what is its thing? Harvesting loads of classified information from high-profile targets across the globe — including the United States, but mostly in Eastern Europe and Central Asia. And it’s got quite the stash.
Red October has been infecting targets through vulnerabilities in MS Word and MS Excel. Once there’s a foothold, the infected devices call back to command servers for customised packages of malware signed with victim-specific 20 digit codes. From there, it collects data straight from government institutions, embassies, research firms, military installations, and energy providers, nuclear and otherwise. Over the past half-decade, Red October has been able to dive deeper and deeper into classified intel by using its ever-growing store of pilfered credentials, logins, and other handy tidbits to intelligently guess its way through security.
Part of the reason it’s become so pervasive and wide-reaching is that it’s not confined to infecting, stealing from, and keylogging workstations. The malware also has to capability to get into mobile phones (iOS, Windows Mobile, and Nokia) connected to infected machines and snag a copy of their contacts, calls, messages, and browsing history. It can also scrub enterprise network equipment and removable disk drives, copy entire email databases from Outlook storage and POP/IMAP servers, and it can even take deleted files off USB sticks using its own recovery mechanism. Red October doesn’t mess around.
What it can get is one question, but who it’s run by is a very different one. According to Kapersky the exploits are probably Chinese in origin, and Russian slang in some of the code implies the operators speak Russian. Or they’re running an in-depth long-con to make people think they do. Most of the command and control servers and domains that can be found are located in and around Germany and Russia, but an intense chain of proxies is still effectively masking the operation’s real home base. And while it rivals state-sponsored projects in size and complexity, its never been known to tangle with or team up with them in any way. Red October is a solitary hoarder, sitting in some cyber-shack alone, surrounded by heaps of top secret info.
Likewise, it’s still up for grabs what all this espionage is for. There’s no evidence to suggest this is a state-sponsored affair, and it seems to be just trucking along, collecting as much classified information as possible just to have it around. Infections are most prominent in Russia (35 infections) but Afghanistan (10), Iran (7), the United States (6), and even Switzerland (5) are on the map as well. But there’s no telling what’s been done with any info. It could be being sold, acting on in some covert way, or just stockpiled for the right moment for… something.
It’s hard not to imagine a man sitting behind a large desk, his face obscured by shadow, tapping his fingers and chuckling to himself sinisterly, watching his own private store of the world’s confidential information grow before his very eyes as he ponders what do with it all. And that might not be too far off from the truth. This isn’t just a game for nation-states to play; it looks like there’s a free agent in the mix, and he/she/they/it/ is every bit as competent as the big names. [Kapersky]