Kaspersky Lab identified an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years.
The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.
The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
In October 2012 Kaspersky Lab’s team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation.
Main research findings
The attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets.
The Red October attackers designed their own malware, identified as “Rocra,” that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.
The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.
To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the “mothership’ control server.
Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the “acid*” extensions appears to refer to the classified software “Acid Cryptofiler”, which is used by several entities, from the European Union to NATO.
To infect systems the attackers sent a targeted spear-phishing email to a victim that included a customized Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel.
The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced it with their own code. Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.
Targeted victims and organizations
Kaspersky Lab’s experts used two methods to analyze the target victims. First, they used detection statistics from the Kaspersky Security Network (KSN) which is the cloud-based security service used by Kaspersky Lab products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules. KSN had been detecting the exploit code used in the malware as early as 2011, which enabled Kaspersky Lab’s experts to search for similar detections related to Rocra.
The second method used by Kaspersky Lab’s research team was creating a sinkhole server so they could monitor infected machines connecting to Rocra’s C2 servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.
KSN statistics: Several hundred unique infected systems were detected by the data from KSN, with the focus being on multiple embassies, government networks and organizations, scientific research institutes and consulates. According to KSN’s data, the majority of infections that were identified were located primarily in Eastern Europe, but other infections were also identified in North America and countries in Western Europe, such as Switzerland and Luxembourg.
Sinkhole statistics: Kaspersky Lab’s sinkhole analysis took place from November 2, 2012 – January 10, 2013. During this time more than 55,000 connections from 250 infected IP addresses were registered in 39 countries. The majority of infected IP connections were coming from Switzerland, followed by Kazakhstan and Greece.
Rocra malware: unique architecture and functionality
The attackers created a multi-functional attack platform that includes several extensions and malicious files designed to quickly adjust to different systems’ configurations and harvest intelligence from infected machines. The platform is unique to Rocra and has not been identified by Kaspersky Lab in previous cyber-espionage campaigns. Notable characteristics include:
“Resurrection” module: A unique module that enables the attackers to “resurrect” infected machines. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides the attackers a foolproof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched. Once the C2s are operational again the attackers send a specialized document file (PDF or Office document) to victims’ machines via e-mail which will activate the malware again.
Advanced cryptographic spy-modules: The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as Acid Cryptofiler, which is known to be used in organizations of NATO, the European Union, European Parliament and European Commission since the summer of 2011 to protect sensitive information.
Mobile devices: In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia and Windows Mobile). The malware is also capable of stealing configuration information from enterprise network equipment such as routers and switches, as well as deleted files from removable disk drives.
Based on the registration data of C2 servers and the numerous artifacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins.
In addition, the executables used by the attackers were unknown until recently, and were not identified by Kaspersky Lab’s experts while analyzing previous cyber-espionage attacks.