|By PR Newswire||
|January 14, 2013 11:45 AM EST||
ABINGDON, England, January 14, 2013 /PRNewswire/ --
Attackers created unique, highly-flexible malware to steal data and geopolitical intelligence from target victims' computer systems, mobile phones and enterprise network equipment
Today Kaspersky Lab published a new research report which identified an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organisations in several countries for at least five years. The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
In October 2012 Kaspersky Lab's team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analysed during the investigation. According to Kaspersky Lab's analysis report, Operation Red October, called "Rocra" for short, is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.
Main Research Findings
Red October's Advanced Cyber-espionage Network: The attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The Red October attackers designed their own malware, identified as "Rocra," that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.
The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.
To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab's analysis of Rocra's Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the 'mothership' control server.
Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the "acid*" extensions appears to refer to the classified software "Acid Cryptofiler", which is used by several entities, from the European Union to NATO.
To infect systems, the attackers sent a targeted spear-phishing email to a victim that included a customised Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced with their own code. Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.
Targeted Victims & Organisations
Kaspersky Lab's experts used two methods to analyse the target victims. First, they used detection statistics from the Kaspersky Security Network (KSN), which is the cloud-based security service used by Kaspersky Lab products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules. KSN had been detecting the exploit code used in the malware as early as 2011, which enabled Kaspersky Lab's experts to search for similar detections related to Rocra. The second method used by Kaspersky Lab's research team was creating a sinkhole server so they could monitor infected machines connecting to Rocra's C2 servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.
- KSN statistics: Several hundred unique infected systems were detected by the data from KSN, with the focus being on multiple embassies, government networks and organisations, scientific research institutes and consulates. According to KSN's data, the majority of infections that were identified were located primarily in Eastern Europe, but other infections were also identified in North America and countries in Western Europe, as Switzerland and Luxembourg.
- Sinkhole statistics: Kaspersky Lab's sinkhole analysis took place from November 2nd, 2012 - January 10th, 2013. During this time more than 55,000 connections from 250 infected IP addresses were registered in 39 countries. The majority of infected IP connections were coming from Switzerland, followed by Kazakhstan and Greece.
Rocra malware: unique architecture and functionality
The attackers created a multi-functional attack platform that includes several extensions and malicious files designed to quickly adjust to different systems' configurations and harvest intelligence from infected machines. The platform is unique to Rocra and has not been identified by Kaspersky Lab in previous cyber-espionage campaigns. Notable characteristics include:
- "Resurrection" module: A unique module that enables the attackers to "resurrect" infected machines. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides the attackers a foolproof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched. Once the C2s are operational again the attackers send a specialized document file (PDF or Office document) to victims' machines via e-mail which will activate the malware again.
- Advanced cryptographic spy-modules: The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as Acid Cryptofiler, which is known to be used in organisations of NATO, the European Union, European Parliament and European Commission since the summer of 2011 to protect sensitive information.
- Mobile Devices: In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia and Windows Mobile). The malware is also capable of stealing configuration information from enterprise network equipment such as routers and switches, as well as deleted files from removable disk drives.
Attacker identification: Based on the registration data of C2 servers and the numerous artifacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins. In addition, the executables used by the attackers were unknown until recently, and were not identified by Kaspersky Lab's experts while analyzing previous cyber-espionage attacks.
Kaspersky Lab, in collaboration with international organisations, law enforcement agencies and Computer Emergency Response Teams (CERTs) is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.
Kaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT for their assistance with the investigation.
The Rocra malware is successfully detected, blocked and remediated by Kaspersky Lab's products, classified as Backdoor.Win32.Sputnik.
Read the full research report of Rocra by Kaspersky Lab's experts please visit Securelist.
Kaspersky Lab Newsroom
Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (http://newsroom.kaspersky.eu/en), for journalists throughout Europe. The newsroom is specifically designed to serve many of the media's most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.
About Kaspersky Lab
Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and Enterprises. The company currently operates in almost 200 countries across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit: http://www.securelist.com/.
*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2010. The rating was published in the IDC report Worldwide IT Security Products 2011-2015 Forecast and 2010 Vendor Shares - December 2011. The report ranked software vendors according to earnings from sales of endpoint security solutions in 2010.
© 2013 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.
Follow us on Twitter
Like us on Facebook
1650 Arlington Business Park
RG7 4SA, Reading
Kaspersky Lab UK
Milton Business Park
OX14 4RY, Oxford
SOURCE Kaspersky Lab
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of Soli...
Dec. 9, 2016 09:45 PM EST Reads: 2,000
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 9, 2016 09:30 PM EST Reads: 1,277
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Dec. 9, 2016 08:00 PM EST Reads: 1,016
An IoT product’s log files speak volumes about what’s happening with your products in the field, pinpointing current and potential issues, and enabling you to predict failures and save millions of dollars in inventory. But until recently, no one knew how to listen. In his session at @ThingsExpo, Dan Gettens, Chief Research Officer at OnProcess, discussed recent research by Massachusetts Institute of Technology and OnProcess Technology, where MIT created a new, breakthrough analytics model for ...
Dec. 9, 2016 07:45 PM EST Reads: 710
IoT is rapidly changing the way enterprises are using data to improve business decision-making. In order to derive business value, organizations must unlock insights from the data gathered and then act on these. In their session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, and Peter Shashkin, Head of Development Department at EastBanc Technologies, discussed how one organization leveraged IoT, cloud technology and data analysis to improve customer experiences and effici...
Dec. 9, 2016 06:45 PM EST Reads: 5,142
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, discussed why and how ReadyTalk diverted from healthy revenue and mor...
Dec. 9, 2016 06:15 PM EST Reads: 1,763
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Dec. 9, 2016 05:30 PM EST Reads: 2,367
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
Dec. 9, 2016 05:30 PM EST Reads: 478
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Dec. 9, 2016 05:15 PM EST Reads: 1,887
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...
Dec. 9, 2016 05:15 PM EST Reads: 1,468
"MathFreeOn.com is a line coding platform for engineers and scientists. When they want to solve an engineering problem and they have to use software - they have to pay a lot of money for licenses - but with MathFreeOn you don't have to pay a lot of money. Just go to our site and write the code and you can check the result right away," explained Simon Lee, CMO of MathFreeOn, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Cla...
Dec. 9, 2016 05:15 PM EST Reads: 410
In his session at 19th Cloud Expo, Claude Remillard, Principal Program Manager in Developer Division at Microsoft, contrasted how his team used config as code and immutable patterns for continuous delivery of microservices and apps to the cloud. He showed how the immutable patterns helps developers do away with most of the complexity of config as code-enabling scenarios such as rollback, zero downtime upgrades with far greater simplicity. He also demoed building immutable pipelines in the cloud ...
Dec. 9, 2016 05:00 PM EST Reads: 2,071
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
Dec. 9, 2016 04:45 PM EST Reads: 1,868
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
Dec. 9, 2016 04:45 PM EST Reads: 1,313
In his session at Cloud Expo, Robert Cohen, an economist and senior fellow at the Economic Strategy Institute, provideed economic scenarios that describe how the rapid adoption of software-defined everything including cloud services, SDDC and open networking will change GDP, industry growth, productivity and jobs. This session also included a drill down for several industries such as finance, social media, cloud service providers and pharmaceuticals.
Dec. 9, 2016 03:45 PM EST Reads: 605
"Dice has been around for the last 20 years. We have been helping tech professionals find new jobs and career opportunities," explained Manish Dixit, VP of Product and Engineering at Dice, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 9, 2016 03:30 PM EST Reads: 1,244
"ReadyTalk is an audio and web video conferencing provider. We've really come to embrace WebRTC as the platform for our future of technology," explained Dan Cunningham, CTO of ReadyTalk, in this SYS-CON.tv interview at WebRTC Summit at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Dec. 9, 2016 03:15 PM EST Reads: 876
Extracting business value from Internet of Things (IoT) data doesn’t happen overnight. There are several requirements that must be satisfied, including IoT device enablement, data analysis, real-time detection of complex events and automated orchestration of actions. Unfortunately, too many companies fall short in achieving their business goals by implementing incomplete solutions or not focusing on tangible use cases. In his general session at @ThingsExpo, Dave McCarthy, Director of Products...
Dec. 9, 2016 03:15 PM EST Reads: 990
Infrastructure is widely available, but who’s managing inbound/outbound traffic? Data is created, stored, and managed online – who is protecting it and how? In his session at 19th Cloud Expo, Jaeson Yoo, SVP of Business Development at Penta Security Systems Inc., discussed how to keep any and all infrastructure clean, safe, and efficient by monitoring and filtering all malicious HTTP/HTTPS traffic at the OSI Layer 7. Stop attacks and web intruders before they can enter your network.
Dec. 9, 2016 03:00 PM EST Reads: 414
@DevOpsSummit taking place June 6-8, 2017 at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit at Cloud Expo New York Call for Papers is now open.
Dec. 9, 2016 03:00 PM EST Reads: 2,024