Dr. Evil, I Presume? The Hunt for Red October


Sometime in 2007, a virtual submarine was launched, albeit without fanfare or the crack of a champagne bottle across its bow. Fittingly, like its namesake fictional sub, Red October has conducted its mission stealthily and effectively. Unlike the Red October of the Tom Clancy novel and subsequent movie, this Red October belongs not to any nation nor any known corporate entity. This is a rogue vessel, whose intentions are thus far unknown.

Although called a computer virus, Red October, which surfaced long enough for detection on a Russian network in October 2012, is actually a long-term cyber-espionage campaign. It employs a chain of servers working as proxies  but which also hide the actual control server "mothership." It appears to target primarily diplomatic, governmental, military, and research entities, and steals documents of many types, including key cryptographic files.

The primary targets have been in Eastern Europe, former USSR republics, and Central Asia, although the campaign has also infiltrated sites in Western Europe and North America. Red October attacks not only servers and personal computers, but also mobile devices including iPhones, Android devices, Windows phones, and even USB thumb drives.

It spreads primarily through targeted "spear phishing" attacks using names that entice readers to download Excel or Word documents. Red October has also taken advantage of the now well-known bug in the Java runtime environment. However it insinuates itself, the result is the creation of an alternate entry called "Sputnik" in the target system. Once Sputnik is established, it can be instructed to download and execute over one thousand different modules, which in turn can perform these tasks among many others:

  • Gather information about the targeted system immediately upon infection
  • Collect browsing history from Chrome, Firefox, Internet Explorer, and Opera
  • Extract saved passwords for Web sites, FTP servers, mail, and instant messaging accounts
  • Steal Microsoft Outlook account information
  • Steal emails
  • Monitor and extract data—even deleted data—from USB drives
  • Log keystrokes and make screenshots
  • Plant malicious plug-ins in applications such as Microsoft Office and Adobe Reader and create a one-way covert channel of communication to control an infected machine
  • Scan for new targets on a local network
  • Grab data from smartphones and other PC-connected devices about the device, its phone book, contact list, call history, calendar, SMS messages, and browsing history
  • Transfer all collected data to the command-and-control "mothership" server
Perhaps the most chilling aspect of this operation lies in the as-yet unknown motives of those behind Red October. As if from a James Bond novel or an Austin Powers film, some freelancing, non-national entity like  SPECTRE or Dr. Evil may be behind the campaign. According to Costin Rau, a senior security researcher at Kaspersky Lab who discovered Red October, “We believe that the main goal of this operation is to obtain classified information which can be used for geopolitical gains. There’s no proof that this cyber-espionage operation is sponsored by a nation state, but the high-profile data stolen from the victims can of course be used by nation states to their advantage. One possibility is that this information is stolen with the intent of being sold to the highest bidder.” 

Because Red October has an entirely novel architecture and does not appear to be closely related to any known piece of malicious code, and because the code in the various modules does not carry any particular signature or style, Kaspersky Lab and others have theorized that the force behind the espionage campaign commissions the modular work to hackers contacted through underground networks. It is also thought that these developers act as "cutouts" who do not have knowledge of other developers or of the originator of their contract. Given the scope and sophistication of the overall effort and the fact that its source remains undetermined, Red October signals a new kind of adversary for security professionals worldwide.

"Anti-virus programs can lead people to believe that they are safe when they are not," says Fred Cohen, a security advisor on the editorial board of the Journal in Computer Virology. "Many users download all kinds of things, because they believe that they are protected."

And that's the takeaway on the Red October phenomenon. As always, never download an attachment from an email unless you are certain of its contents and its sender. If in doubt for any reason, contact the sender to determine their identity and intent. Otherwise, always play safe and steer clear of that link. Don't get sunk by something like Red October.


Spring 2013
1/29/2013 3:29:47 PM