sign in sign up
<<
Home , Red October (malware)

.SIAK-Journal – Journal for Police Science and Practice

Braganca, Maschenka (2014): Hunt for Red October. The new face of cyber espionage SIAK-Journal − Journal for Police Science and Practice (International Edition Vol. 4), 87-95.

doi: 10.7396/IE_2014_H

Please cite this articel as follows:

Braganca, Maschenka (2014). Hunt for Red October. The new face of cyber espionage, SIAK-Journal − Journal for Police Science and Practice (International Edition Vol. 4), 87-95, Online: http://dx.doi.org/10.7396/IE_2014_H.

© Federal Ministry of the Interior – Sicherheitsakademie / NWV, 2014

Note: A hard copy of the article is available through the printed version of the SIAK-Journal published by NWV (http://nwv.at). published online: 8/2014 2014 .SIAK-InternAtIonAl edItIon

Hunt for Red October The new face of cyber espionage

Operation Red October – the newly discovered cyber espionage campaign that has targeted a range of diplomatic facilities, defense companies, and energy firms, especially in Eastern Europe but also around the globe – may mark an evolution of the cyber black market. In October of the past year computer security researchers discovered a type of that appears to have been part of a widespread cyber espionage campaign that outplays major operations such as the notorious Virus that was used in a very targeted manner to spy on Middle Eastern countries. The intrusions in the Red October Campaign remained unnoticed for more than five years and might still be looming in the dark at some organizations. The discovery was made public only in October 2012 after the month-long work of a Russian security company that found the malware used to maschenka braganca, infiltrate computer systems in the recent campaign. They also managed to take out large political scientist with a focus on foreign and security policy. parts of the malware infrastructure, and subsequently did in-depth analysis in order to work against the perpetrators and draw some conclusions about motivation and origins. This article looks at the details of Operation Red October, analyzes its nature, impact and ways, in which the trade form of espionage is changing with the evolution of a new threat environment.

OperatiOn red OctOber – groups, oil and gas companies, as well as cyber espiOnage campaign the aerospace industry. They also include During the past five years, the campaign a handful of non-US diplomatic organi­ that has come to be known as “Operation zations inside the United States. The Red Red October” has successfully infiltrated October malware network is considered computer networks at more than 350 diplo- one of the most advanced online espionage matic, governmental and scientific research operations that has been discovered to date. organizations, gathering data and intelli- The researchers from gence from mobile devices, computer named it “Red October” – shortened to systems as well as network equipment. “Rocra” – inspired by the almost noise- The places targeted were spread around less submarine from the eponymous Tom the globe with a significant prevalence in Clancy novel. The name seems to be a Eastern Europe and former Soviet Repub- fitting analogy – a digital submarine lurk­ lics. Targets include trade and commerce ing for more than five years, searching for organizations, nuclear and energy research classified and sensitive information. There

87 .SIAK-InternA t I on A l ed I t I on 2014

Source: Kaspersky Lab 2013 is even reason to believe that some of the Country Infections victims might not even have realized the Russian Federation 35 data theft yet. Kazakhstan 21 Azerbaijan 15 One of the targets has apparently been Belgium 15 the Russian Embassy in the United States, India 14 where tens of thousands of documents, Afghanistan 10 probably including classified reports to Armenia 10 Iran; Islamic Republic of 7 the foreign ministry in Moscow, have re­ Turkmenistan 7 portedly fallen into the hands of cyber Ukraine 6 spies. Besides exfiltration of documents, United States 6 Rocra has also been used to steal encrypted Vietnam 6 Belarus 5 files and decryption keys used by the Eu­ Greece 5 ropean Union and NATO (Nakashima Italy 5 2013). It is possible that a total of several Morocco 5 terabytes of data were stolen. The targets Pakistan 5 Switzerland 5 very clearly indicate an interest in geopoliti­ Uganda 5 cally significant information and govern­ United Arab Emirates 5

ment secrets. table 1: list of countries with most infections Source: Kaspersky Lab 2013 and monitoring how the attackers handled them over the course of several months, which allowed them to collect hundreds of attack modules and tools. One major discovery resulting from this investingation was that in order to control the network of infected machines, the at­ tackers had created more than 60 domain names and several server hosting locations in different countries (many of them in Graphic 1: operation red october, geographical distribution of victims Germany and Russia). Kaspersky Lab’s analysis of Rocra’s Command & Control attack architecture and (C&C or C2) infrastructure shows that the VectOrs chain of servers was actually working as Kaspersky Lab‘s researchers have analyzed proxies in order to hide the location of the the operation in lengthy detail, with a focus “mothership” control server. A control and on the modules used for attack and data command infrastructure is the backbone of exfiltration comprised of malicious exten­ any attack of this kind, and instead of using sions, info-stealing modules and back­ a single command and control server it door Trojans (Kaspersky Lab 2013). They utilizes an embedded command and con­ could figure out how the different stages trol approach, thus avoiding any single of the attack were put into action as well point of failure.2 as the malware family used in the attacks, Though control and command servers which was dubbed “Sputnik”. Kaspersky are sometimes key to some of the most care­ Lab used a sinkhole1 strategy to under­ fully constructed attacks, or what are called stand what was happening. This involved “advanced persistent threats”3, these at­ setting up several victims around the world tacks are typically remotely orchestrated

88 2014 .SIAK-InternA t I on A l ed I t I on

via C&C communications between the Excel). The goal is to infect a target system infiltrated systems and the attackers them­ with backdoor and dropper software (the selves. Typically, malware will call back to so-called Sputnik). these servers for additional downloads or instructions, and can be used by attackers 2. Insert the payload that enfolds once to access the infected system. Traffic for the system is infected via multi-layered C&C servers in persistent attacks is very platform low (compared to botnets) and often hard “Resurrection” module, which functions to locate. Attackers change and redirect as a back-up solution in case the main addresses, use legitimate sites, and even piece of malware gets discovered. The set up C&C servers inside a company’s way this works is that the module is network in order to not raise suspicion. embedded as a plug-in in a program such So, in the Red October Campaign the as Adobe Acrobat and allows the C&C attackers first infected the systems of the station to regain control of the victim targeted organizations and created a multi­ system, which again sends a file to the functional attack platform with different victim station (e.g., via email) that in a extensions and malicious files to adjust renewed effort activates the malware. to the specific configuration of the system Advanced cryptographic spy-modules, under attack and harvest the sought-after the main purpose of which is stealing in­ intelligence from them. It is unique in the formation from different cryptographic sense that the type of modules used has not systems such as Acid Cryptofiler used by been identified in previous cyber espio­ NATO, the EU, and some EU agencies nage campaigns. to protect sensitive information. Mobile devices: The malware is able to 1. Infecting Victims steal information from mobile devices To infect systems, the attackers sent a tar­ such as smartphones but also routers and geted spear-phishing4 email to a victim other enterprise network equipment. that included an attachment. This attach­ ment was a customized Trojan dropper as All these elements showcase the careful can be seen in graphic 2, which basically planning behind this operation that not is an exploit rigged for vulnerabilities in only has been extremely targeted but also Microsoft Office programs (MS Word and sophisticated. The programmers made sure that the information sought after would Source: Kaspersky Lab 2013 be grasped with high certainty. An interesting point is that the Red Oc­ tober campaign does not appear to be a single campaign, but, rather, a concerted effort via a series of campaigns that may have been launched at various times and targets since 2007. Also, it appears that some of the exploits have been “re-used” from different attacks, i.e., programmed by other attackers before Rocra and then re­ used and adapted for that purpose5 .

Graphic 2: First stage of attack as the foundations Kaspersky, in the attempt to take down are laid the operation, has sinkholed more than 60

89 .SIAK-InternAtIonAl edItIon 2014

domains being used by the malware, and are not able to see the data that was stolen found victims in 39 different countries. or recover every attack module. The tech­ Around 250 different IP addresses were niques used, however, enabled the re­ connected to the sinkhole, which it ran searchers to trace servers and IP addresses from last 2 November, 2012 to 10 January, of the targets. Kaspersky Lab in this spe­ 2013. After the sinkholing and the publica­ cific case used detection statistics from tion of the discovery, it was noted that the the Kaspersky Security Network (KSN) as attacker’s control servers were gradually well as the sinkhole analysis. being taken offline in an attempt to destroy Some researchers and security experts evidence (Kaspersky Lab 2013). argue that given the customized malware, massive command-and-control infrastruc­ attributiOn and ture, and the sheer amount of data stolen, mOtiVatiOn some researchers say a nation-state has When it comes to the question of origin, to be behind it (Alperovitch 2013). Al­ attribution and motivation, cyberspace is a so, the strong emphasis on diplomatic grey zone with little to no clarity. In the organizations points towards a nation­ Red October case, from a few hints, the state as the “end customer” of the stolen researchers from Kaspersky Lab deduced information. It is just not clear, based on that there are Russian-speakers involved at the technical information that has been least at the lowest level of the attack, the gathered thus far, who this entire opera­ actual coding. First, based on the registra­ tion can be attributed to. The exploits tion data of C&C servers and the traces left used in the attacks are of the type used by in the executables of the malware, there is Chinese advanced persistent threat (APT) strong technical evidence to indicate the actors, but the malware writers appear to attackers have Russian-speaking origins be native Russian-speakers, according to (Kaspersky Lab 2013). Second, Russian Kaspersky’s findings. Dmitri Alperovitch, slang words keep appearing in the code, Chief Technical Officer (CTO) of the newly including words like “zakladka”, which founded security company CrowdStrike, can mean “bookmark”6 and “proga” mean­ says the attacks have all the earmarks of a ing program. The perpetrator that actually nation-state sponsored initiative. might have ordered and planned the cam­ paign could, however, still be someone else. eVOlutiOn Of adVanced The sophisticated and targeted nature of and targeted threats the intrusions strongly suggests that any Advanced Persistent Threat (APT) is the principal would have to have the appropri­ term used to describe a cybercrime cat­ ate financial means. This could mean that a egory directed at business and political tar­ national government and intelligence ser­ gets that requires a high degree of stealth vice might have ordered it – however, it over a prolonged duration of operation in could as well be criminals looking to sell order to be successful. The attack objectives the data to a government. therefore typically extend beyond immedi­ What was clear is that Rocra was design­ ate financial gain, and compromised sys­ ed to steal data from specific targets – as­ tems continue to be of service even after signing people unique ID numbers and in key systems have been breached and initial some cases employing malware modules goals reached. The idea is to conduct an customized solely for that target. Study­ operation without letting the victim realize ing this becomes difficult as researchers what is happening or at the most confuse

90 2014 .SIAK-InternAtIonAl edItIon

him. That is what happened in the case of does not belong to the family of , Stuxnet7, where the attackers put a lot of and Flame is also more widespread effort into creating an elaborate side show and massive than the infamous Flame to distract the laboratory staff at the en­ cyberspying campaign, according to re­ richment facilities in Natanz. searchers at Kaspersky Lab. Red October is exactly one of these spy­ ware programs that are complex and costly a new era Of espiOnage – but do not have a huge financial gain – they what dO we learn frOm are designed to steal political information this campaign? as opposed to Research and Development What all this shows, is that there is a slow (R&D) plans, intellectual property or bank but steady shift in intelligence and espio­ data. Red October has taken to typical nage conduct. “The most elegant cyber at­ nation-state intelligence gathering activ­ tacks are a lot like the most elegant bank ities from reconnaissance to theft of secret frauds [...] They work best when the vic­ classified information (Sweetman 2012, 72). tim doesn’t even know he’s been robbed”8 The nature of so-called Advanced Persis­ (Sanger 2012, 5). Getting in and getting tent Threats (APT) is that they are out again requires you to think like a bank a) advanced in that operators behind the thief casing a well-protected vault. threat have a full spectrum of intelli­ Intelligence is a way to enhance your gence-gathering techniques at their dis­ understanding of a situation and thereby posal but also extend to conventional create a precise knowledge of your adver­ intelligence-gathering techniques, and saries’ and allies’ capabilities and inten­ often combine multiple targeting meth­ tions and can also provide decision ad- ods and tools in order to reach the target vantage vis-à-vis your adversaries (Sims/ and maintain access to it, Gerber 2008). Information technology b) persistent in that they try to reach their has always been important to gather in­ objective in a “low and slow” approach, telligence on your opponents – whether maintain long-term access to the target to assist in war fighting, or to learn who in order to exfiltrate data over a long pe­ is developing weapons of mass destruction riod of time and make sure the objective (reconnaissance purposes). With regard to in mind has been fulfilled and the intelligence collection process, signifi­ c) a threat, which means APTs have capa­ cant revolutions occurred in the past cen­ bility and intent, the operators are skilled, tury towards signals intelligence (SIGINT) motivated and well-funded (Borger towards a fully integrated system bringing 2001). together Command, Control, Communica­ All these elements have been met at a tions, Computers, Intelligence, Surveil­ high level by the Rocra Operation. lance and Reconnaissance (C4ISR). Kaspersky Lab claims to have never be­ The main characteristic of this (r)evo­ fore seen an attack done with such “surgi­ lution was that technological advances cal precision” (Kaspersky Lab 2013). It is brought about a large basis for intelligence an extensive cyber espionage coup about that could not only be used to provide stra­ national security secrets of certain coun­ tegic warning for decision-makers, but tries. Rocra is not as sophisticated as could be directly linked to tactical opera­ Flame, which spread through Windows tions, and therein enabled complete control software updates, but it is described as of the battle space. This flow of new data more “elegant” (Nakashima 2013). It also also necessitated more large-scale analy­

91 .SIAK-InternAtIonAl edItIon 2014

sis, which was reflected in the creation of provides allows for complete anonymity new offices and analytical units (Smith of transactions and content and makes at­ 2001, 40). Surveillance was then not only tribution a difficult task. The cyber realm provided by spies on the ground (human offers actors a space that is sheltered and intelligence or HUMINT) but increasingly vastly unregulated and therefore allows for shifted up to the air, and later space, ac­ all kinds of illicit trade. You cannot pin­ companied by significant advancements in point who is behind an attack/campaign – electronic surveillance technology e.g., ra­ attacks could even be “crowd sourced” by dar9. The C4ISR revolution shows how ca­ governments (Choucri/Goldsmith, 2012). pabilities have evolved not only to provide Another characteristic of the networked strategic or tactical reconnaissance but that environment is that sensitive documents the goal is to develop and apply formida­ that were locked in filing cabinets behind ble strategic capabilities to tactical efforts locked doors are now migrating into the in increasingly more effective ways. cloud and embedded in social networking Space-based reconnaissance evolved as services that have questionable security part of the revolution in strategic intelli­ architectures and poor data handling prac­ gence and subsequently, the “revolution tices – thumb drives being inserted and in military affairs” (RMA), and provided circulating, disks uploading information, the US strategic advantage during the Cold mobile phones sending and receiving in­ War and beyond. The basic idea of ISR formation while roaming over different (intelligence, surveillance and reconnais­ networks. sance), is to utilize technological advance­ Now cyber intrusions are not only directed ments for strategy, intelligence and tactics. against governmental networks but the Cyberspace, however, is essentially a new great majority target private corporations, environment – a unique ecosystem. In the which come under the purview of a national 1980s and 1990s the “revolution in mili­ government. One of the biggest problems tary affairs” recognized the role of infor­ besides cyber crime and a problem that mation technology in the conduct of armed the FBI identifies as its number 1 criminal forces. But only in the last decade did the priority in the cyber realm, is industrial or realization occur that cyberspace itself has economic espionage (Robinson 2007, 5). become more than a tool (such as recon­ However, with regard to state owned naissance aircraft or aperture radars), but intelligence efforts, cyber espionage is an actual environment. This is a transfor­ “potentially the most valuable addition to mation of the global (technological envi­ spycraft since the advent of signals intel­ ronment) into an artificial environment, in ligence” (Sweetman 2012, 18). The intake which new rules and power-relations are can include large volumes of detailed tech­ being established – an environment that nical information that can be disseminated state and non-state actors will engineer to with relative freedom to end-users – people suit their strategic interests (Deibert 2011). designing and engineering systems. The The goal is to maintain or attain strategic relative freedom comes from the fact that advantage relative to competitors. no agents are at risk and the techniques and Cyberspace is an integrated domain, software used for network penetration are where public and private, civil and mili­ not designed for a long life: The presump­ tary (though separate networks), national tion is that they will be detected, countered as well as foreign actors operate simulta­ and replaced with something new. neously. The anonymity that cyberspace

92 2014 .SIAK-InternAtIonAl edItIon

what is being dOne – what Lab is collaborating with international needs tO be dOne? organizations, law enforcement agencies One effect of the cyber environment is that and national Computer Emergency Re­ such attacks are difficult to detect a priori sponse Teams (CERTs) of the victim and an attack or intrusion – especially the states, thereby continuing the investigation more advanced and persistent kind – is and providing resources for mitigation often recognized only after significant da­ and remediation (Kaspersky Lab 2013). mage has been done. There is a range of Early warning and good counter-intelli­ strategies used to protect networks, some gence: effective counter-intelligence is of them more passive and reactive, whereas an essential element in combating foreign others are more offensive. Among them are: technical threats. The major problem with Securing hardware and software by a cyber is not the actual attack with a ki­ layered approach utilizing the most up­ netic/physical effect such as power out­ to-date security software (firewalls, ages but cyber espionage and exfiltration, scanners, 2-factor-authentication, pene­ exfiltration of information without know­ tration testing of networks, malware de­ ledge of the victim. Part of this is due to tection systems, and other techniques). our overarching dependence on sophisti­ Threat analysis and forensics for APTs: cated IT and net-centric concepts. What threat analysis is a concept often associ­ has been a measure of technological ated with security threat intelligence, edge has increasingly proven to be a where the focus is directed towards gain­ huge disadvantage in an adversarial ing knowledge of new and existing threats environment (cf. Gosler 2008, 173–198). for the purpose of formulating defenses to mitigate them. Therefore, the cycle of To conclude, it has to be said that the prepare/analyze/identify/respond (PAIR) threats emanating from cyberspace and is a useful model to more effectively the utilization for intelligence collection leverage these systems and data with require a joint conceptualization of our analytical techniques to help locate and strategic environment – physical and vir­ eradicate threats in the environment tual. Virtual means might be the preferred (Spruell/Wanner 2007, 4).10 way to go, but the objectives and moti­ Collaboration between IT security provid­ vations still remain strikingly similar. Get­ ers, government and law enforcement en­ ting in and getting out again still requires tities: in the case of Rocra, Kaspersky you to think like a bank thief.

93 .SIAK-InternAtIonAl edItIon 2014

1 The sinkoholing technique has been successfully Sources of information used in the past to bring down the Zeus Trojan Alperovitch, D. (2013). ‘Red October’ Attacks: The and associated botnet. New Face of Cyberespionage, Dark Reading.com. 2 Us u a l l y a gr o u p of in f e c t e d co m p u t e r s Borger, J. (2001). America’s War with an in­ that have been recruited for running mali­ visible enemy. Guardian Online. May 8, http:// cious software is referred to as a “botnet”. www.guardian.co.uk/world/2001/may/08/world­ A botnet’s originator can control the group and is dispatch.julianborger. usually referred to as the main command-and­ Choucri, N./Goldsmith, D. (2012). Lost in cy­ control server (C&C server). berspace: Harnessing the Internet, international 3 APTs are longlasting sustained attacks with a relations and global security, Bulletin of the high level of sophistication and a major impact Atomic Scientists, 70–77. on the victim system. Deibert, R. (2011). Tracking the emerging arms 4 Spearphishing is an attempt directed at specific race in cyberspace, Interview, The Bulletin of the individuals or companies, where information Atomic Scientists 67 (1), 1–8. (such as usernames, passwords, credit card dig­ Gosler, J. (2008). Counterintelligence: Too its, etc.) is acquired by masquerading as a trust­ Narrowly Practiced, in: Sims, J. E./Gerber, B. worthy entity in electronic communication. (eds.) Vaults, Mirrors & Masks: Rediscovering 5 E.g., by using various embedded executables. US Counterintelligence, Washington D.C. 6 Intriguingly, Kaspersky’s researchers explain Kaspersky Lab (2013). “Red October” Diplo­ that in Russian, the term “Zakladka” also refers matic Cyber Attacks Investigation. Jan 14, http:// to a “microphone embedded in a brick of the em­ www.kaspersky.com/about/news/virus/2013/ bassy building”, implying the bugging technique, Kaspersky_Lab_Identifies_Operation_Red_ which was an old standard method used for O ct o b er _a n _Advanced_Cyber_Espionage_ penetration and interception by the US and Campaign_Targeting_Diplomatic_and_Govern USSR/Russia for decades. ment_Institutions_Worldwide. 7 Stuxnet is the name by which the cyber attack Nakashima, E. (2013). Computer Malware targets used to bring down Iranian uranium enrichment European Agencies. Washington Post, 14 Jan, efforts came to be known as. http://articles.washingtonpost.com/2013-01-14/ 8 One of the early architects of “Olympic Games” world/36323010_1_malware-flame-virus-targets. was quoted as having told David E. Sanger, Robinson, S. (2007). Corporate Espionage 201, when asked how Washington was making use of SANS Institute Infosec Reading Room, http:// the new technology of offensive cyber weapons. www.sans.org/reading_room/whitepapers/ 9 The shift from air to space: a further step in engineering/corporate-espionage-201_512. the creation of far-reaching, detailed accurate Sanger, D. (2012). Confront and Conceal. and stealthy reconnaissance capabilities was Obama’s Secret Wars and Surprising Use of the shift to the use of satellites during the Cold American Power, Washington D.C. War. One of the reasons for this was that aircraft Sims, J. E./Gerber, B. (eds.) (2008). Vaults, could be detected and tracked as well as shot Mirrors & Masks: Rediscovering US Counter­ down at some point and space-based systems of­ intelligence, Washington, D.C. fered some benefits by circumventing the dangers Smith, C. (2001). CIA’s Analysis of Soviet threatening aerial overflight. Science and Technology, CIA’s Analysis Of 10 The SANS Advanced Threat Analytics Paper The Soviet Union, 1947–1991, https://www.cia. provides an excellent, simple and in-depth over­ gov/library/center-for-the-study-of-intelligence/ view of identification, mitigation strategies and cs i -p u b l i c a t i o n s / books-and-monographs/ incident response procedures. cias-analysis-of-the-soviet-union-1947-1991/ analysis_sANDt.pdf.

94 2014 .SIAK-InternAtIonAl edItIon

Spruell, D./Wanner R. (2007). Advanced Threat Johnson, L. (2007). Handbook of Intelligence Analytics for Incident Response. SANS Insti­ Studies, New York. tute InfoSec Reading Room, www.sans.org/.../ Williams, P./Shimeall, T./Dunlevy, C. (2002). advanced-threat-analytics-incident-response_2133. Intelligence Analysis for Internet Security, Con­ Sweetman, B. (2012). I Spy, Aviation Week & temporary Security Policy 23 (2), 1–38. Space Technology 174 (40), 72. Cyber Statecraft Initiative of the Atlantic Coun­ cil, http://www.acus.org/tags/cyber-statecraft­ Further literature and links initiative. Carr, J. (2012). Inside Cyber Warfare: Mapping International Cyber Security Protection Alli­ the Cyber Underworld, Sebastopol, CA. ance, https://www.icspa.org/. Clarke, R. A./Knake, R. K. (2010). Cyber War: KillerApps – National Security in the Cyber Age The Next Threat to National Security and What (John Reeds Foreign Policy Blog), http://killer to Do About It, New York. apps.foreignpolicy.com/. INSA Report (2011). Cyber Intelligence. Set­ NATO Cooperative Cyber Defence Centre of Ex­ ting the Landscape for an Emerging Disci­ cellence, https://www.ccdcoe.org/. pline, https://images.magnetmail.net/images/ Zero Day – The Threat in Cyberspace. clients/INSA/attach/INSA_CYBER_INTELLI A Washington Post Special Report, http://www. GENCE_2011.pdf. washingtonpost.com/investigations/zero-day.

95