Published on January 18th, 2013 | by Steven Hodson0
Red October: A 5 year malware attack against governments
Big news today on the security scare front thanks to a new report from security software firm Kaspersky in which they identify and detail an extremely sophisticated spying campaign that has been pushing a custom malware package since May 2007. It was an attack that was directed at several hundred governments and diplomatic organizations in Eastern Europe and Central Asia but also found in North America and Western Europe.
Called “Operation Red October”, as dubbed by Kaspersky researchers, is considered to be a highly coordinated campaign that could have potentially collected hundreds of terabytes of sensitive government information. Its success at remaining under the wider security companies radar is because of its modular design, over a 1,000 distinct modules at latest count, that researchers have found for the first time being customized for specific attack profiles for each of the intended victims.
This customization was possible say researchers because each infection is apparently indexed by a unique ID that is assigned to that specific machine. It is this identifier that enables whoever is controlling these malware attacks that each attack can be carefully tailored to the specific attributes of the victim. This ID also appears to be included when the infected machine attempts to connect to the control channel which gives the attacks further control of what they want that specific malware to do.
Researchers have found that besides components that targeted individual PCs this customizable attack could be used against networking equipment from Cisco, smartphones from Apple, Microsoft, and Nokia. They also discovered that the attacks use a network of command-and-control servers with a complexity that researchers say rivals those used by the Flame espionage malware attack against Iran.
Even with all this sophistication though researchers don’t believe that Red October is related in any way to other “state sponsored” malware attacks like Flame, Gauss, or Duqu. The information being gathered however is of sufficient high level quality that it will probably get top dollar in the underground and will be sold to the highest bidder.