sign in sign up
<<
Home , Red October (malware)

.SIAK-Journal – Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis

Braganca, Maschenka (2013): Hunt for Red October. The New Face of Cyber Espionage SIAK-Journal − Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis (2), 37-44.

doi: 10.7396/2013_2_D

Um auf diesen Artikel als Quelle zu verweisen, verwenden Sie bitte folgende Angaben:

Braganca, Maschenka (2013). Hunt for Red October. The New Face of Cyber Espionage, SIAK-Journal − Zeitschrift für Polizeiwissenschaft und polizeiliche Praxis (2), 37-44, Online: http://dx.doi.org/10.7396/2013_2_D.

© Bundesministerium für Inneres – Sicherheitsakademie / Verlag NWV, 2013

Hinweis: Die gedruckte Ausgabe des Artikels ist in der Print-Version des SIAK-Journals im Verlag NWV (http://nwv.at) erschienen.

Online publiziert: 10/2013 2/2013 .SIAK-JOURNAL

Hunt for Red October The New Face of Cyber Espionage

Operation Red October – the newly discovered cyber espionage campaign that has ­targeted a range of diplomatic facilities, defense companies, and energy firms, especially in Eastern Europe but also around the globe – may mark an evolution of the cyber black market. In October of the past year computer security researchers discovered a type of that appears to have been part of a widespread cyber-espionage campaign that outplays major operations such as the notorious Virus that was used in a very targeted manner to spy on Middle Eastern countries. The intrusions in the Red October Campaign remained unnoticed for more than five years and might still be looming in the dark at some organizations. The discovery was made public only in October 2012 after the month-long work of a Russian security company that found the malware used to MASCHENKA BRAGANCA, infiltrate computer systems in the recent campaign. They also managed to take out large politologist focussing on foreign and security policy. parts of the malware infrastructure, and subsequently did in-depth analysis in order to work against the perpetrators and draw some conclusions about motivation and origins. This article looks at the details of Operation Red October, analyzes its nature, impact and ways, in which the trade form of espionage is changing with the evolution of a new threat environment.

OPERATION RED OCTOBER – groups, oil and gas companies, as well as CYBER ESPIONAGE CAMPAIGN the aerospace industry. They also include During the past five years, the campaign a handful of non-US diplomatic organi­ that has come to be known as „Operation zations inside the United States. The Red Red October“ has successfully infiltrated October malware network is considered computer networks at more than 350 diplo­ one of the most advanced online espionage matic, governmental and scientific research operations that has been discovered to date. organizations, gathering data and intelli­ The researchers from gence from mobile devices, computer named it “Red October” – short “Rocra” – systems as well as network equipment. inspired by the almost noiseless submarine The places targeted were spread around from the eponymous Tom Clancy novel. the globe with a significant prevalence in The name seems to be a fitting analogy – Eastern Europe and former Soviet Repu­ a digital submarine lurking for more than blics. Targets include trade and commerce five years, searching for classified and sen­ organizations, nuclear and energy research sitive information. There is even reason to

37 .SIAK-JOURNAL 2/2013

Source: Kaspersky Lab 2013 believe that some of the victims might not Country Infections even have realized the data theft yet. Russian Federation 35 One of the targets has apparently been Kazakhstan 21 Azerbaijan 15 the Russian Embassy in the United States, Belgium 15 where tens of thousands of documents, India 14 probably­ including classified reports to Afghanistan 10 the foreign ministry in Moscow, have re­ Armenia 10 Iran; Islamic Republic of 7 portedly fallen into the hands of cyber Turkmenistan 7 spies. Beside exfiltration of documents, Ukraine 6 Rocra has been also used to steal encryp­ United States 6 ted files and decryption keys used by the Vietnam 6 Belarus 5 European Union and NATO (Nakashima Greece 5 2013). It is possible that a total of several Italy 5 terabytes of data were stolen. The targets Morocco 5 very clearly indicate an interest in geopoli­ Pakistan 5 Switzerland 5 tically significant information and govern­ Uganda 5 ment secrets. United Arab Emirates 5

Source: Kaspersky Lab 2013 Table 1: List of countries with most infections

over the course of several months, which allowed­ them to collect hundreds of attack modules and tools. One major discovery resulting from this investingation was that in order to control the network of infected machines, the at­ tackers had created more than 60 domain names and several server hosting locations in different countries (many of them in Graphic 1: Operation Red October, Geographical Germany and Russia). Kaspersky Lab’s ­distribution of victims analysis of Rocra’s Command & Control ATTACK ARCHITECTURE AND (C&C or C2) infrastructure shows that the VECTORS chain of servers was actually work­ing as Kaspersky Lab‘s researchers have analyzed proxies in order to hide the location ­of the the operation in lengthy detail, with a focus “mothership” control server. A control and on the modules used for attack and data command infrastructure is the backbone of exfiltration comprised of malicious exten­ any attack of this kind, and instead of using sions, info-stealing modules and backdoor a single command and control, server it Trojans (Kaspersky Lab 2013). They could utilizes an embedded command and con­ figure out how the different stages of the trol approach, thus avoiding any single attack were put into action as well as the point of failure.2 malware family used in the attacks, which Though control and command servers was dubbed “Sputnik”. Kaspersky Lab are sometimes key to some of the most care­ used a sinkhole1 strategy to understand fully constructed attacks, or what are called what was happening. This involved setting “advanced persistent threats”3, these at­ up several victims around the world and tacks are typically remotely orchestrated monitored how the attackers handled them via C&C communications between the

38 2/2013 .SIAK-JOURNAL

infiltrated systems and the attackers them­ with backdoor and dropper software (the selves. Typically, malware will call back to so-called Sputnik). these servers for additional downloads or instructions, and can be used by attackers 2. Insert the payload that enfolds once to access the infected system. Traffic for the system is infected via multi-layered C&C servers in persistent attacks is very platform low (compared to botnets) and often hard “Resurrection” module, which funcitons to locate. Attackers change and redirect as a back-up solution in case the main addresses, use legitimate sites, and even ­piece of malware gets discovered. The set up C&C servers inside a company’s way this works is that the module is network in order to not raise suspicion. ­embedded as a plug-in in a program So, in the Red October Campaign the such as Adobe Acrobat and allows the attackers first infected the systems of the C&C station to regain control of the vic­ targeted organizations and created a multi- tim system, which again sends a file to functional attack platform with different the victim station (e.g. via email) that in extensions and malicious files to adjust a renewed effort activates the malware. to the specific configuration of the system Advanced cryptographic spy-modules, under attack and harvest the sought-after the main purpose of which is stealing intelligence from them. It is unique in the information from different cryptogra­ sense that the type of modules used has not phic systems such as Acid Cryptofiler been identified in previous cyber-espiona­ used by NATO, the EU, some EU agen­ ge campaigns. cies to protect sensitive information. Mobile devices: The malware is able to 1. Infecting Victims steal information from mobile devices To infect systems, the attackers sent a tar­ such as smartphones but also routers geted spear-phishing4 email to a victim and other enterprise network equipment. that included an attachment. This attach­ ment was a customized Trojan dropper as All these elements showcase the careful can be seen in graphic 2, which basically planning behind this operation that not is an exploit rigged for vulnerabilities in only has been extremely targeted but also Microsoft Office programs (MS Word and sophisticated. The programmers made sure Excel). The goal is to infect a target system that the information sought after would be grasped with high certainty. Source: Kaspersky Lab 2013 An interesting point is that the Red Oc­ tober campaign does not appear to be a single campaign, but, rather, a concerted effort via a series of campaigns that may have been launched at various times and targets since 2007. Also, it appears that some of the exploits have been “re-used” from different attacks, i.e. programmed by other attackers before Rocra and then re- used and adapted for that purpose5. Kaspersky, in the attempt to take down

Graphic 2: First stage of attack as the foundation is the operation, has sinkholed more than 60 prepared domains being used by the malware, and

39 .SIAK-JOURNAL 2/2013

found victims in 39 different countries. or recover every attack module. The tech­ Around 250 different IP addresses were niques used, however, enabled the re­ connected to the sinkhole, which it ran searchers to trace servers and IP addresses from last November 2, 2012 to January 10, of the targets. Kaspersky Lab in this speci­ 2013. After the sinkholing and the publica­ fic case used detection statistics from the tion of the discovery, it was noted that the Kaspersky Security Network (KSN) as attacker’s control servers were gradually well as the sinkhole analysis. being taken offline in an attempt to destroy Some researchers and security experts evidence (Kaspersky Lab 2013). argue that given the customized malware, massive command-and-control infrastruc­ ATTRIBUTION AND ture, and the sheer amount of data sto­ ­MOTIVATION len, some researchers say a nation-state When it comes to the question of origin, has to be behind it (Alperovitch 2013). attribution and motivation, cyberspace Also, the strong emphasis on diplomatic is a grey zone with little to no clarity. In organizations points towards a nation- the Red October case, from a few hints, state as the “end customer” of the stolen the researchers from Kaspersky Lab drew information. It is just not clear, based on that there are Russian-speakers involved at the technical information that has been least at the lowest level of the attack, the gathered thus far, who this entire ope­ actual coding. First, based on the registra­ ration can be attributed to. The exploits tion data of C&C servers and the traces left used in the attacks are of the type used by in the executables of the malware, there is Chinese advanced persistent threat (APT) strong technical evidence to indicate the actors, but the malware writers appear to attackers have Russian-speaking origins be native Russian-speakers, according to (Kaspersky Lab 2013). Second, Russian Kaspersky’s findings. Dmitri Alperovitch, slang words keep appearing in the code, Chief Technical Officer (CTO) of the newly including words like “zakladka”, which founded security company CrowdStrike, can mean “bookmark”6 and “proga” mean­ says the attacks have all the earmarks of a ing program. The perpetrator that actually nation-state sponsored initiative. might have ordered and planned the cam­ paign could, however, still be someone else. EVOLUTION OF ADVANCED The sophis­ticated and targeted nature of AND TARGETED THREATS the intru­sions strongly suggests that any Advanced Persistent Threat (APT) is the principal would have to have the appropri­ term used to describe a cybercrime cate­ ate financial means. This could mean that a gory directed at business and political tar­ national government and intelligence ser­ gets that requires a high degree of stealth vice might have ordered it – however, it over a prolonged duration of operation in could as well be criminals looking to sell order to be successful. The attack objectives the data to a government. therefore typically extend beyond imme­ What was clear is that Rocra was design­ diate financial gain, and compromised sys­ ed to steal data from specific targets – as­ tems continue to be of service even after signing people unique ID numbers and in key systems have been breached and initial some cases employing malware modules goals reached. The idea is to conduct an customized solely for that target. Study­ operation without letting the victim realize ing this becomes difficult as researchers what is happening or at the most confuse are not able to see the data that was stolen­ him. That is what happened in the case of

40 2/2013 .SIAK-JOURNAL

Stuxnet7, where the attackers put a lot of and Flame and also is more widespread effort into creating an elaborate side stage and massive than the infamous Flame to distract the laboratory staff at the enrich­ cyberspying campaign, according to re­ ment facilities in Natanz. searchers at Kaspersky Lab. Red October is exactly one of these spy­ ware programs that are complex and costly A NEW ERA OF ESPIONAGE – but do not have a huge financial gain – they WHAT DO WE LEARN FROM are designed to steal political information THIS CAMPAIGN? as opposed to Research and Development What all this shows, is that there is a slow (R&D) plans, intellectual property or bank but steady shift in intelligence and espio­ data. Red October has taken to typical nage conduct. “The most elegant cyber at­ nation state intelligence gathering activities tacks are a lot like the most elegant bank from reconnaissance to theft of secret clas­ frauds (...) They work best when the vic­ sified information (Sweetman 2012, 72). tim doesn’t even know he’s been robbed”8 The nature of so-called Advanced Persi­ (Sanger 2012, 5). – Getting in and getting stent Threats (APT) is that they are out again requires you to think like a bank a) advanced in that operators behind the thief casing a well-protected vault. threat have a full spectrum of intelli­ Intelligence is a way to enhance your gence-gathering techniques at their dis­ ­understanding of a situation and thereby posal but also extend to conventional create a precise knowledge of your adver­ intelligence-gathering techniques, and saries’ and allies’ capabilities and inten­ often combine multiple targeting me­ tions and can also provide decision ad­ thods and tools in order to reach the tar­ vantage vis-à-vis your adversaries (Sims/ get and maintain access to it, Gerber 2008). Information technology b) persistent in that they try to reach their has always been important to gather in­ objective in a “low and slow” approach, telligence on your opponents – whether maintain long-term access to the target to assist in war fighting, or to learn who in order to exfiltrate data over a long pe­ is developing weapons of mass destruction riod of time and make sure the objective (reconnaissance purposes). With regard to in mind has been fulfilled and the intelligence collection process, signifi­ c) threat, which means APTs have capa­ cant revolutions occurred in the past cen­ bility and intent, the operators are skil­ tury towards signals intelligence (SIGINT) led, motivated and well-funded (Borger towards a fully integrated system bringing 2001). together Command, Control, Communica­ All these elements have been met at a tions, Computers, Intelligence, Surveil­ high level by the Rocra Operation. lance and Reconnaissance (C4ISR). Kaspersky Lab claims to have never be­ The main characteristic of this (r)evo­ fore seen an attack done with such “surgi­ lution was that technological advances cal precision” (Kaspersky Lab 2013). It is brought about a large basis for intelligence an extensive cyber espionage coup about that could not only be used to provide stra­ ­national security secrets of certain coun­ tegic warning for decision-makers, but tries. Rocra is not as sophisticated as could be directly linked to tactical opera­ ­Flame, which spread through Windows tions, and therein enabled complete control software updates, but it is described as of the battle space. This flow of new data more “elegant” (Nakashima 2013). It also also necessitated more large-scale analy­ does not belong to the family of , sis, which was reflected in the creation of

41 .SIAK-JOURNAL 2/2013

new offices and analytical units (Smith of transactions and content and makes at­ 2001, 40). Surveillance was then not only tribution a difficult task. The cyber realm provided by spies on the ground (human offers actors a space that is sheltered and intelligence or HUMINT) but increasingly­ vastly unregulated and therefore allows for shifted up to the air, and later space, ac­ all kinds of illicit trades. You cannot pin­ companied by significant advancements in point, who is behind an attack/campaign – electronic surveillance technology e.g. ra­ attacks could be even “crowd sourced” by dar9. The C4ISR revolution shows how ca­ governments (Choucri/Goldsmith 2012). pabilities have evolved not only to provide Another characteristic of the networked strategic or tactical reconnaissance but that environment is, that sensitive documents the goal is to develop and apply formida­ that were locked in filing cabinets behind ble strategic capabilities to tactical efforts locked doors are now migrating into the in increasingly more effective ways. cloud and embedded in social networking Space-based reconnaissance evolved as services that have questionable security part of the revolution in strategic intelli­ architectures and poor data handling prac­ gence and subsequently, the “revolution tices – thumb drives being inserted and in military affairs” (RMA), and provided circulating, disks uploading information, the US strategic advantage during the Cold mobile phones sending and receiving in­ War and beyond. The basic idea of ISR formation while roaming over different (intelligence, surveillance and reconnais­ networks. sance), is to utilize technological advance­ Now cyber intrusions are not only directed ments for strategy, intelligence and tactics. against governmental networks but the Cyberspace, however, is essentially a new great majority target private corporations, environment – a unique ecosystem. In the which come under the purview of a national 1980s and 1990s the “Revolution in Mili­ government. One of the biggest problems tary Affairs” recognized the role of infor­ beside cyber crime and a problem, that mation technology in the conduct of armed the FBI identifies as its number 1 criminal forces. But only in the last decade did the priority in the cyber realm, is industrial or realization occur that cyberspace itself has economic espionage (Robinson 2007, 5). become more than a tool (such as recon­ However, with regard to state owned naissance aircraft or aperture radars), but intelligence efforts, cyber espionage is an actual environment. This is a transfor­ “potentially the most valuable addition to mation of the global (technological envi­ spycraft since the advent of signals intel­ ronment) into an artificial environment, in ligence” (Sweetman 2012, 18). The intake which new rules and power-relations are can include large volumes of detailed tech­ being established – an environment that nical information that can be disseminated state and non-state actors will engineer to with relative freedom to end-users-people suit the strategic interests (Deibert 2011). designing and engineering systems. The The goal is to maintain or attain strategic relative freedom comes from the fact that advantage relative to competitors. no agents are at risk and the techniques and Cyberspace is an integrated domain, software used for network penetration are where public and private, civil and mili­ not designed for a long life: The presump­ tary (though separate networks), national tion is that they will be detected, countered as well as foreign actors operate simulta­ and replaced with something new. neously. The anonymity that cyberspace provides allows for complete anonymity

42 2/2013 .SIAK-JOURNAL

WHAT IS BEING DONE – WHAT Lab is collaborating with international NEEDS TO BE DONE? organizations, law enforcement agencies One effect of the cyber environment is that and national Computer Emergency Res­ such attacks are difficult to detect a priori ponse Teams (CERTs) of the victim and an attack or intrusion – especially the states, thereby continuing the investigation more advanced and persistent kind – is and providing resources for mitigation often recognized only after significant da­ and remediation (Kaspersky Lab 2013). mage has been done. There is a range of Early warning and good counter-intelli­ strategies used to protect networks, some gence: Effective counter-intelligence is of them more passive, reactive, whereas an essential element in combating for­ others are more offensive. Among them are: eign technical threats. Major problem Securing hardware and software by a with cyber is not the actual attack with a ­layered approach utilizing the most up- kinetic/physical effect such as power to-date security software (firewalls, outages but cyber espionage, exfiltration scanners, 2-factor-authentication, pene­ of information without knowledge of tration testing of networks, malware de­ the victim. Part of this is due to our over­ tection systems, and other techniques). arching dependence on sophisticated IT Threat analysis and forensics for APTs: and net-centric concepts. What has been Threat analysis is a concept often asso­ a measure of technological edge has in­ ciated with security threat intelligence, creasingly proven to be a huge disad­ where the focus is directed towards vantage in an adversarial environment gain­ing knowledge of new and existing (cf. Gosler 2008, 173–198). threats for the purpose of formulating defenses to mitigate them. Therefore, Concluding, it has to be said that the the cycle of prepare/analyze/identify/ threats emanating from cyberspace, the respond (PAIR) is a useful model to more utilization for intelligence collection, re­ effectively leverage these systems and quire a joint conceptualization of our stra­ data with analytical techniques to help tegic environment – physical and virtual. locate and eradicate threats in the envi­ Virtual means might be the preferred way ronment (Spruell/Wanner 2007, 4).10 to go, but the objectives and motivations Collaboration between IT security pro­ still remain strikingly similar. Getting in viders, government and law enforcement and getting out again still requires you to entities: In the case of Rocra, Kaspersky think like a bank thief.

1 The sinkoholing technique has been suc- A botnet’s originator can control the group 4 Spearphishing is an attempt directed cessfully used in the past to get down the and is usually referred to the main com- at specific individuals or companies, Zeus Trojan and associated botnet. mand-and-control server (C&C server). where information (such as usernames, 2 Usually a group of infected computers 3 APTs are longlasting sustained attacks passwords, credit card digits etc.) is ac- that have been recruited for running mali- with a high level of sophistication and a quired by masquerading as a trustworthy cious software is referred to as “botnet”. major impact on the victim system. entity in electronic communication.

43 .SIAK-JOURNAL 2/2013

5 E.g. by using different embedded exe- in cyberspace: Harnessing the Internet, of-the-soviet-union-1947-1991/analysis_ cutables. international­ relations and global se- sANDt.pdf. 6 Intriguingly, Kaspersky’s researchers curity, Bulletin of the Atomic Scientists, Spruell, D./Wanner R. (2007). Advan- explain that in Russian, the term “Zaklad- 70–77. ced Threat Analytics for Incident Re- ka” also refers to a “microphone embed- Deibert, R. (2011). Tracking the emer- sponse. SANS Institute InfoSec Reading ded in a brick of the embassy building”, ging arms race in cyberspace, Interview, Room, www.sans.org/.../advanced-threat- implying the bugging technique, which The Bulletin of the Atomic Scientists 67 analytics-incident-response_2133. was an old stand­ ard­ method used for (1), 1–8. Sweetman, B. (2012). I Spy, Aviation Week penetration and interception by the US Gosler, J. (2008). Counterintelligence: & Space Technology 174 (40), 72–72. and USSR/Russia for decades. Too ­Narrowly Practiced, in: Sims, J. E./ 7 Stuxnet is the name by which the cyber Gerber, B. (eds.) Vaults, Mirrors & Masks: Further Literature and Links attack used to bring down Iranian Uranium Rediscovering US Counterintelligence, Carr, J. (2012). Inside Cyber Warfare: enrichment efforts cam to be known as. Washington D.C. Mapping the Cyber Underworld, Sebas­ 8 One of the early architects of “Olympic Kaspersky Lab (2013). “Red October” topol, CA. Games” was quoted to have told David Diplomatic Cyber Attacks Investigation. Clarke, R. A./Knake, R. K. (2010). Cyber E. Sanger, when asked how Washington Jan 14, http://www.kaspersky.com/ War: The Next Threat to National Secur­ was making use of the new technology of about/news/virus/2013/Kaspersky_Lab_ ity and What to Do About It, New York. offensive cyber weapons. Identifies_Operation_Red_October_an_ INSA Report (2011). Cyber Intelligence. 9 The shift from air to space: A further Advanced_Cyber_Espionage_Campaign_ Setting the Landscape for an Emerging step in the creation of far-reaching, de- Targeting_Diplomatic_and_Government_ Discipline, https://images.magnetmail. tailed accurate and stealthy reconnais- Institutions_Worldwide. net/images/clients/INSA/attach/INSA_ sance capabilities was the shift to the use Nakashima, E. (2013). Computer Mal- CYBER_INTELLIGENCE_2011.pdf. of satellites during the Cold War. One ware targets European Agencies. Johnson, L. (2007). Handbook of Intelli- of the reasons for this was that aircraft Washing­ton Post, Jan 14, http://articles. gence Studies, New York. could be detected and tracked as well as washingtonpost.com/2013-01-14/world/ Williams, P./Shimeall, T./Dunlevy, C. shot-down at some­ point and space-based 36323010_1_malware-flame-virus- (2002). Intelligence Analysis for Internet systems offered some benefits by circum- targets. Security, Contemporary Security Policy venting the dangers ­threatening aerial Robinson, S. (2007). Corporate Espionage 23 (2), 1–38. overflight. 201, SANS Institute Infosec Reading Room, Cyber Statecraft Initiative of the Atlantic 10 The SANS Advanced Threat Analytics http://www.sans.org/reading_room/ Council, http://www.acus.org/tags/cyber- Paper provides an excellent simple and whitepapers/ engineering/corporate- statecraft-initiative. in-depth overview of identification, miti- espionage-201_512. International Cyber Security Protection gation strategies and incident response Sanger, D. (2012). Confront and Conceal. Alliance, https://www.icspa.org/. procedures. Obama’s Secret Wars and Surprising Use KillerApps – National Security in the of American Power, Washington D.C. Cyber Age (John Reeds Foreign Policy Sources of information Sims, J. E./Gerber, B. (eds.) (2008). Blog), http://killer ­apps.foreignpolicy. Alperovitch, D. (2013). ‘Red October’ At- Vaults, Mirrors & Masks: Rediscovering com/. tacks: The New Face of Cyberespionage, US Counterintelligence, Washington, D.C. NATO Cooperative Cyber Defence Centre Dark Reading.com. Smith, C. (2001). CIA’s Analysis of of Excellence, https://www.ccdcoe.org/. Borger, J. (2001). America’s War with an Soviet Science and Technology, CIA’s Zero Day – The Threat in Cyberspace. invisible enemy. Guardian Online. May 8, Analysis Of The Soviet Union, 1947–1991, A Washington Post Special Report, http:// http://www.guardian.co.uk/world/2001/ https://www.cia.gov/library/center-for- www.washingtonpost.com/investigations/ may/08/worlddispatch.julianborger. the-study-of-intelligence/csi-publications/ zero-day. Choucri, N./Goldsmith, D. (2012). Lost books-and-monographs/cias-analysis-

44