This Day On The Street
Continue to site
ADVERTISEMENT
This account is pending registration confirmation. Please click on the link within the confirmation email previously sent you to complete registration.
Need a new registration confirmation email? Click here

Kaspersky Lab Identifies Operation "Red October," An Advanced Cyber-Espionage Campaign Targeting Diplomatic And Government Institutions Worldwide

To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab's analysis of Rocra's Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the 'mothership' control server.

Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,  cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the "acid*" extensions appears to refer to the classified software "Acid Cryptofiler", which is used by several entities, from the European Union to NATO.

Infecting Victims

To infect systems, the attackers sent a targeted spear-phishing email to a victim that included a customised Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced with their own code.  Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.  

Targeted Victims & Organisations

Kaspersky Lab's experts used two methods to analyse the target victims. First, they used detection statistics from the Kaspersky Security Network (KSN), which is the cloud-based security service used by Kaspersky Lab products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules. KSN had been detecting the exploit code used in the malware as early as 2011, which enabled Kaspersky Lab's experts to search for similar detections related to Rocra. The second method used by Kaspersky Lab's research team was creating a sinkhole server so they could monitor infected machines connecting to Rocra's C2 servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.
  • KSN statistics: Several hundred unique infected systems were detected by the data from KSN, with the focus being on multiple embassies, government networks and organisations, scientific research institutes and consulates. According to KSN's data, the majority of infections that were identified were located  primarily in Eastern Europe, but other infections were also identified in North America and countries in Western Europe, as Switzerland and Luxembourg.
  • Sinkhole statistics: Kaspersky Lab's sinkhole analysis took place from November 2 nd, 2012 - January 10th, 2013. During this time more than 55,000 connections from 250 infected IP addresses were registered in 39 countries. The majority of infected IP connections were coming from Switzerland, followed by Kazakhstan and Greece.

Rocra malware: unique architecture and functionality

2 of 5

Check Out Our Best Services for Investors

Action Alerts PLUS

Portfolio Manager Jim Cramer and Director of Research Jack Mohr reveal their investment tactics while giving advanced notice before every trade.

Product Features:
  • $2.5+ million portfolio
  • Large-cap and dividend focus
  • Intraday trade alerts from Cramer
Quant Ratings

Access the tool that DOMINATES the Russell 2000 and the S&P 500.

Product Features:
  • Buy, hold, or sell recommendations for over 4,300 stocks
  • Unlimited research reports on your favorite stocks
  • A custom stock screener
Stocks Under $10

David Peltier uncovers low dollar stocks with serious upside potential that are flying under Wall Street's radar.

Product Features:
  • Model portfolio
  • Stocks trading below $10
  • Intraday trade alerts
14-Days Free
Only $9.95
14-Days Free
Dividend Stock Advisor

David Peltier identifies the best of breed dividend stocks that will pay a reliable AND significant income stream.

Product Features:
  • Diversified model portfolio of dividend stocks
  • Updates with exact steps to take - BUY, HOLD, SELL
Trifecta Stocks

Every recommendation goes through 3 layers of intense scrutiny—quantitative, fundamental and technical analysis—to maximize profit potential and minimize risk.

Product Features:
  • Model Portfolio
  • Intra Day Trade alerts
  • Access to Quant Ratings
Options Profits

Our options trading pros provide over 100 monthly option trading ideas and strategies to help you become a well-seasoned trader.

Product Features:
  • Actionable options commentary and news
  • Real-time trading community
SYM TRADE IT LAST %CHG

Markets

Chart of I:DJI
DOW 16,191.14 +132.79 0.83%
S&P 500 1,920.84 +6.99 0.37%
NASDAQ 4,662.4790 +26.3740 0.57%

Free Reports

Top Rated Stocks Top Rated Funds Top Rated ETFs