IT security analysts uncover ‘Red October’ cyber attack

14 Jan 2013

Anti-virus firm Kaspersky Lab is claiming to have uncovered a major global cyber attack operation that has been running since 2007. Dubbed ‘Red October’, it seems that the cyber campaign has been targeting diplomatic, governmental and scientific research organisations in several countries, with the aim of stealing sensitive documents.

Kaspersky has today issued a paper concerning its research on this latest cyber-espionage operation, which the firm claims has been running for five years.

According to Kaspersky, its researchers have been analysing the malware in this cyber attack since last October as a result of a spate of attacks against computer networks targeting international diplomatic service agencies.

‘Rorca’ malware

The anti-virus firm said the Red October attackers designed their own malware, known as Rorca, and have successfully infiltrated computer networks to gather data and intelligence from mobile devices, computer systems and network equipment.

“The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America,” said Kaspersky in a statement.

It said the cyber attacks are still active, with data being sent to multiple command-and-control (C&C) servers through a configuration Kaspersky claims is as complex as the Flame malware discovered in 2012.

Cyber attacks since 2007

The firm said registration data used for the purchase of C&C domain names suggest the Red October attacks have been taking place as far back as May 2007.

Kaspersky said the attackers have been targeting diplomatic and governmental agencies, as well as research institutions, energy and nuclear groups, and trade and aerospace targets.

The firm said the Rocra malware used in the attacks has its own unique modular architecture that is made up of malicious extensions, info-stealing modules and backdoor Trojans.

It said the attackers often harvest information from infected networks to later re-use it in other attacks.

Kaspersky said the attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority being in Germany and Russia.

The company is set to release more information about its Red October research in the coming days.

Password hacker image via Shutterstock

Carmel Doyle was a long-time reporter with Silicon Republic