In his 1986 book Digital Fortress, Dan Brown explores the effect of government surveillance of electronically stored information on the private lives of citizens, and the possible civil liberties and ethical implications of using this technology. Now we know that he was not far off the mark, and this may yet become a reality.
The book explores what happens when the US National Security Agency’s (NSA) code-breaking supercomputer encounters a new and complex code – Digital Fortress – that it cannot break. The head cryptographer is tasked to crack it, and she discovers that it was written by Ensei Tankado, a former NSA employee who became displeased with the NSA’s intrusion into people’s private lives. Tankado intends to auction the code’s algorithm on his website and have his partner, “Ndakota”, release it for free when he dies. Essentially holding the NSA hostage, the agency is determined to stop Digital Fortress from becoming a threat to national security. The story ends well but that is not the case with a recent project by Kaspersky Lab which they codenamed “Red October”.
In January 2012 the company published a research report which identified an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organisations in several countries for at least the past five years. The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
In October 2012 Kaspersky Lab’s team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analysed during the investigation. According to the analysis report, Operation Red October, called “Rocra” for short, is still active as of January 2013.
The attackers have been active since at least 2007 and have focused on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The Red October attackers designed their own malware, identified as “Rocra,” that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans. The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.
To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis shows that the chain of servers was actually working as proxies in order to hide the location of the “mothership” control server. Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the “acid*” extensions appears to refer to the classified software “Acid Cryptofiler”, which is used by several entities, from the European Union to NATO.
To infect systems the attackers sent a targeted spear-phishing email to a victim that included a customised Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced with their own code. Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.
Kaspersky used two methods to analyse the target victims. First, they used detection statistics from the Kaspersky Security Network (KSN) which is the cloud-based security service used by the company’s products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules. KSN had been detecting the exploit code used in the malware as early as 2011, which enabled its experts to search for similar detections related to Rocra. The second method used by the company’s research team was creating a sinkhole server so they could monitor infected machines connecting to Rocra’s C2 servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.
Analysing previous cyber-espionage attacks, Kaspersky Lab, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams (CERTs) is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures. The Rocra malware is successfully detected, blocked and remediated by products classified as Backdoor.Win32.Sputnik.