In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called «Red October» (after famous novel «The Hunt For The Red October»).
This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.
The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment.
Main Findings
Advanced Cyber-espionage Network:
Unique architecture:
Broad variety of targets:
Importation of exploits:
Attacker identification:
These attacks comprised of the classical scenario of specific targeted attacks, consisting of two major stages:
- Initial infection
- Additional modules deployed for intelligence gathering
The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications.
Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers.
Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.
The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as «Acid Cryptofiler», (see
https://fr.wikipedia.org/wiki/Acid_Cryptofiler) which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011. All gathered information is packed, encrypted and only then transferred to the C&C server.
.......
Another noteworthy fact is in the first line of this file, which is a command to switch the codepage of an infected system to 1251. This is required to address files and directories that contain Cyrillic characters in their names.
The «LHAFD.GCP» file is encrypted with RC4 and compressed with the "Zlib" library. This file is essentially a backdoor, which is decoded by the loader module (svchost.exe). The decrypted file is injected into system memory and is responsible for communication with the C&C server.
...........
There is a notable module among all others, which is essentially created to be embedded into Adobe Reader and Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system. The module expects a specially crafted document with attached executable code and special tags. The document may be sent to the victim via e-mail. It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document.
.....
We have identified over 1000 different malicious files related to over 30 modules of this Trojan kit. Most of them were created between May 2010 and October 2012.
There were 115 file-creation dates identified which are related to these campaigns via emails during the last two and a half years. Concentration of file creation dates around a particular day may indicate date of the massive attacks (which was also confirmed by some of our side observations):
Year 2010
- 19.05.2010
- 21.07.2010
- 04.09.2010
Year 2011
- 05.01.2011
- 14.03.2011
- 05.04.2011
- 23.06.2011
- 06.09.2011
- 21.09.2011
Year 2012
We used two approaches to identify targets for these attacks. First, we used the Kaspersky Security Network (KSN) and then we set up our own sinkhole server. The data received using two independent ways was correlating and this confirmed objective findings.
........
| RUSSIAN FEDERATION | 35 |
| KAZAKHSTAN | 21 |
| AZERBAIJAN | 15 |
| BELGIUM | 15 |
| INDIA | 15 |
| AFGHANISTAN | 10 |
| ARMENIA | 10 |
| IRAN | 7 |
| TURKMENISTAN | 7 |
| UKRAINE | 6 |
| UNITED STATES | 6 |
| VIET NAM | 6 |
| BELARUS | 5 |
| GREECE | 5 |
| ITALY | 5 |
| MOROCCO | 5 |
| PAKISTAN | 5 |
| SWITZERLAND | 5 |
| UGANDA | 5 |
| UNITED ARAB EMIRATES | 5 |
| BRAZIL | 4 |
| FRANCE | 4 |
| GEORGIA | 4 |
| GERMANY | 4 |
| JORDAN | 4 |
| MOLDOVA | 4 |
| SOUTH AFRICA | 4 |
| TAJIKISTAN | 4 |
| TURKEY | 4 |
| UZBEKISTAN | 4 |
| AUSTRIA | 3 |
| CYPRUS | 3 |
| KYRGYZSTAN | 3 |
| LEBANON | 3 |
| MALAYSIA | 3 |
| QATAR | 3 |
| SAUDI ARABIA | 3 |
| CONGO | 2 |
| INDONESIA | 2 |
| KENYA | 2 |
| LITHUANIA | 2 |
| OMAN | 2 |
| TANZANIA | 2 |
Countries with more than one infections
From the point of view of country distribution of connections to the sinkhole, we have observed victims in 39 countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.
I.......
Some of the victim organizations were identified using IP addresses and public WHOIS information or remote system names.
Most «interesting» out of those are:
| Algeria - Embassy |
| Afghanistan - Gov, Military, Embassy, |
| Armenia - Gov, Embassy |
| Austria - Embassy |
| Azerbaijan - Oil/Energy, Embassy, Research, |
| Belarus - Research, Oil/Energy, Gov, Embassy |
| Belgium - Embassy |
| Bosnia and Herzegovina - Embassy |
| Botswana - Embassy |
| Brunei Darussalam – Gov |
| Congo – Embassy |
| Cyprus - Embassy, Gov |
| France - Embassy, Military |
| Georgia - Embassy |
| Germany - Embassy |
| Greece – Embassy |
| Hungary -Embassy |
| India – Embassy |
| Indonesia - Embassy |
| Iran – Embassy |
| Iraq – Gov |
| Ireland - Embassy |
| Israel - Embassy |
| Italy -Embassy |
| Japan - Trade, Embassy |
| Jordan - Embassy |
| Kazakhstan - Gov, Research, Aerospace, Nuclear/Energy, Military |
| Kenya - Embassy |
| Kuwait - Embassy |
| Latvia - Embassy |
| Lebanon - Embassy |
| Lithuania - Embassy |
| Luxembourg - Gov |
| Mauritania - Embassy |
| Moldova - Gov, Military, Embassy |
| Morocco - Embassy |
| Mozambique - Embassy |
| Oman - Embassy |
| Pakistan - Embassy |
| Portugal - Embassy |
| Qatar - Embassy |
| Russia - Embassy, Research, Military, Nuclear/Energy |
| Saudi Arabia - Embassy |
| South Africa - Embassy |
| Spain - Gov, Embassy |
| Switzerland - Embassy |
| Tanzania - Embassy |
| Turkey - Embassy |
| Turkmenistan - Gov, Oil/Energy |
| Uganda - Embassy |
| Ukraine - Military |
| United Arab Emirates - Oil/Energy, Embassy, Gov |
| United States - Embassy |
| Uzbekistan - Embassy |
............
For instance, a top level XLS dropper presumably used against a Polish target, named “Katyn_-_opinia_Rosjan.xls” contains the hardcoded victim ID “F50D0B17F870EB38026F”. A similar XLS named “tactlist_05-05-2011_.8634.xls / EEAS New contact list (05-05-2011).xls” possibly used in Moldova contains a victim ID “FCF5E48A0AE558F4B859”.
