The Attack of Red October: Cyberespionage is not just for Nation-states Anymore

After reading a recent analysis of the newly discovered Red October malware, I was left with a profound feeling of dread. We all surmised this kind of thing was probably happening. Flame and Stuxnet demonstrated that sophisticated cyberattacks are in fact taking place. Up until now, the malware we’ve seen has been attributed to state-sponsored entities that appear to be narrowly targeting specific regions – the realm of political motivations. This latest campaign, however, appears to demonstrate that it’s not just governments looking to pilfer state secrets through cyberespionage, but also professional crime organizations have gotten into the game as well.

This is a wonderful example of the asymmetric nature of cyberwarfare. In many ways, the digital battlefield is the great equalizer, and while unlimited resources will get you a more polished product, quite a bit can be done with a much more modest budget. Consider the fact that it appears the Red October attackers were quite adept at leveraging the work of others, as well as using what they learned along the way. Instead of developing or purchasing zero-days, they used the same exploits – in some cases the exact same malicious Word documents used in other attacks attributed to a completely different group – with only the payload modified. Most self-respecting state-sponsored attack developers would scoff at such a notion. The attackers in Red October also leveraged information such as passwords that they likely found being used over the course of their campaign. While these techniques don’t have the flair of the MD5 collision attack used by Flame, the development cost is essentially zero, and the campaign appears to have been quite successful thus far.

It also demonstrates that a handful of smart, motivated actors can achieve a high degree of sophistication. The modularity of the malware involved in the campaign is impressive, and contains features designed to extract data from network hardware, USB drives and mobile phones, as well as the more traditional keystroke logging and password dumping. The persistence modules are somewhat novel, in that they install add-ins to Adobe and Microsoft Office that will allow the reintroduction of the malicious code by sending a document with an embedded payload, but no exploit code. This allows the document to bypass some security checks such as traditional virus scanners. Also, the command and control infrastructure included sufficient redirection and complexity to effectively shield the identities of the operators behind the campaign.

Finally, I find the targeting of the campaign to be very interesting. The attackers do not appear to be going after heavily protected systems, but rather those in which sensitive data is likely to pass through (embassies, government research institutes, and military contractors). While they may not possess real state secrets, a lot of related data passes through these systems, allowing the attackers to likely intercept some very sensitive information. Sifting through all the data gathered is not a trivial task, but it’s also one that is not urgent. Automated searches can be done for keywords related to more timely information, and the rest can be done as time allows. This also appears to be a high-touch campaign, with the attackers actively involved with the infected systems and pushing down new modules as needed. While a campaign of this nature is still outside the reach of most of the smaller cybercriminal groups out there, it is definitely not a nation-state-only club, and there are strong indications that this may have been the work of another entity.

While 99.9 percent of attacks are fairly typical, it is important to remember that there is also some really nasty stuff out there. Also remember that both Flame and this campaign were going on for several years before being brought to light. Who knows what else is out there waiting to be found? It will be both interesting and frightening, I’m sure.

Bit9 provides Advanced Threat Protection for endpoints and servers using the market’s leading trust-based application control and whitelisting.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: