Red October Cyber Espionage Campaign Crumbles Day After Uncloaking

The attackers carrying out the Red October cyber espionage campaign, detailed by security firm Kaspersky yesterday, have already started running scared.

Various embassies and other government bodies, including nuclear and energy organisations, were hit by the Red October group in highly targeted attacks, which started back in 2007.

The main targets were based out of Eastern European nations, but infections were uncovered across the world, with bespoke malware designed for separate victims, indicating the attackers knew precisely who they wanted to hit.

Cyber espionage campaign downed?

But the clandestine five-year initiative looks set to fall apart, having been made public yesterday by the Russian security firm. Kaspersky has seen pieces of the cyber espionage campaign’s command & control infrastructure come offline, although it is still showing some signs of life.

“The attackers started dismantling the infrastructure last night at 11pm GMT, by taking down some of the C2s [command servers] and superproxies,” Costin Raiu, senior security researcher at Kaspersky Labs, told TechWeekEurope.

“At the same time, ISPs have shut down some of the C2s while registrars have killed the domain names. Currently, there are still some active servers, however, the infrastructure is severely disrupted and mostly not working anymore.”

Other details about the campaign emerged today. F-Secure posted a number of screenshots of the malicious Microsoft Word and Excel files used by the Red October crew:

“We see thousands of similar documents in our systems every month. The Red October attacks are interesting because of the large scale of the espionage done by a single entity, and the long timespan they cover,” F-Secure said in a blog post. “However, the sad truth is that companies and governments are constantly under similar attacks from many different sources.”

Security company Seculert found the Red October attackers were exploiting an ex-zero-day vulnerability in Java, which Oracle patched back in October 2011.

“Looking at the server side source code of the malware payload page, we can see that the attackers are adding a fingerprint at the end of the malware executable, which includes the unique identifier of the targeted victim. This is the same unique identifier which is used by the malware later on while communicating with the C2 servers,” a blog from Seculert read.

Interested by tech and fascinating plots? Try our tech in the movies quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

US Finalises Billions In Awards To Samsung, Texas Instruments

US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…

1 hour ago

OpenAI Starts Testing New ‘Reasoning’ AI Model

OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…

2 hours ago

US ‘Adding Sophgo’ To Blacklist Over Link To Huawei AI Chip

US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…

2 hours ago

Amazon Workers Go On Strike Across US

Amazon staff in seven cities across US go on strike after company fails to negotiate,…

3 hours ago

Senators Ask Biden To Extend TikTok Ban Deadline

Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…

3 hours ago

Journalism Group Calls On Apple To Remove AI Feature

Reporters Without Borders calls on Apple to remove AI notification summaries feature after it generates…

4 hours ago