Kaspersky Lab identifies ciberespionagem Red October campaign

18 January 2013 | In Curiosidades | 203 views | By

Click & share: 

Kaspersky Lab announces the discovery of a new ciberespionagem campaign directed at diplomatic organs and scientific and governmental research centres in operation for at least five years. The targets are the Eastern European countries, former members of the Soviet Union and countries of Central Asia, Although among the victims are also organs of Western Europe, North America, Brazil and Chile.

espionagemIn October 2012, the team of analysts from Kaspersky Lab has initiated an investigation based on a series of attacks directed against international networks of different diplomatic services agencies. According to the report of the company, operation Red October, also called "Rocra"by its acronym in English, was initiated in 2007 and is still active today.

Were uitlizadas two techniques for identifying the malware: Kaspersky Security Network (KSN), cloud-based protection network present in all the company's products, who has confirmed the infection in hundreds of embassies, scientific research institutes, consulates and Government and organizational systems were infected; and the creation of a sinkhole Server, that allowed determine 55 thousand links (of 250 IP addresses in 39 different countries) carried out in the period between November 2012 and January 2013. The KSN detected the exploit code used in the operation since Rocra 2011.

O principal objectivo dos criadores é obter documents privados das organizações comprometidas, as geopolitical intelligence data, as well as access to restricted systems credentials, devices móveis pessoais e equipamentos de rede. Cybercriminals use the information collected in the infected networks to gain access to additional systems. For example, the stolen credentials were compiled in a list, que era utilizada para adivinhar senhas ou frases de acesso em other sitemas críticos.

The attacks focus on diplomatic and governmental agencies of various countries around world, In addition to research institutions, nuclear power companies, trade and aerospace industries. The spread of ciberespiopnagem campaign was accomplished through phishing messages with a custom trojan, It was responsible for the infection of malicious e-mail system and included exploits handled by security vulnerabilities within Microsoft Office and Microsoft Excel.

The creators of Red October developed their own malware, identified as “Rocra”, featuring a modular architecture own, composed of extensions, malicious modules and trojans backdoors. The platform of attack was versatile and used different extensions and malicious files to properly configure the different target systems and extract the information from the infected equipment. The platform of the Rocra had not yet been identified in any of the previous ciberespionagem year.

Among the key findings, differentiate yourself:

  • Resurrection module: embedded in a plug-in inside of Adobe Reader and Microsoft Office, allows the malware to reinstall, If the main body of the infection was eliminated or the system were corrected.
  • Advanced espionage encryption modules: the main objective of espionage modules eramo information theft. Including files from different encryption systems, as the Acid Cryptofiler, that is known to be used to protect sensitive information in organizations such as NATO, the European Union, the European Parliament and the European Commission since the summer of 2011.
  • Mobile devices: In addition to attacking traditional workstations, the malware is capable of stealing data from mobile devices, as smartphones (iPhone, Nokia e Windows Mobile), including configuration information from corporate networks, as routers or switches, as well as deleted files from external hard drives.
  • Identification of the attacker: based on the record of data on servers C&C and the numerous "artifacts" left in the malware executables, There is strong evidence indicating that attackers have origins related to the Russian language. In addition, used executables were unknown until recently and have not been found in Cyber espionage attacks analyzed by Kaspersky Lab previously.

Kaspersky Lab, in collaboration with international organizations, authorities and CERTs (the response teams security incidents), will continue its investigation into the Rocra. The company appreciates the US-CERT, Romanian CERT and Belarus for his help with research.

Kaspersky Lab products detect the malware as Rocra Backdoor. win32. sputnik, blocking and disabling it.

More information about the campaign Red October Click here.

In Ivaiporã-PR, Computer engineer, Workgroup Administrator Tips in General. Passionate about technology and Informatics.

A bit about us

    The Group generally appeared in Tips 2007 from innovative ideas on troubleshooting problems faced daily by those who use the technology and computer science, both ordinary users and technicians. But where did, why and what is the purpose of this site?

Click here to read!

Siga o Dicas em Geral no Google+

Video of the week