Red October Cyber Espionage Campaign Crumbles Day After Uncloaking

The attackers carrying out the Red October cyber espionage campaign, detailed by security firm Kaspersky yesterday, have already started running scared.

Various embassies and other government bodies, including nuclear and energy organisations, were hit by the Red October group in highly targeted attacks, which started back in 2007.

The main targets were based out of Eastern European nations, but infections were uncovered across the world, with bespoke malware designed for separate victims, indicating the attackers knew precisely who they wanted to hit.

Cyber espionage campaign downed?

But the clandestine five-year initiative looks set to fall apart, having been made public yesterday by the Russian security firm. Kaspersky has seen pieces of the cyber espionage campaign’s command & control infrastructure come offline, although it is still showing some signs of life.

“The attackers started dismantling the infrastructure last night at 11pm GMT, by taking down some of the C2s [command servers] and superproxies,” Costin Raiu, senior security researcher at Kaspersky Labs, told TechWeekEurope.

“At the same time, ISPs have shut down some of the C2s while registrars have killed the domain names. Currently, there are still some active servers, however, the infrastructure is severely disrupted and mostly not working anymore.”

Other details about the campaign emerged today. F-Secure posted a number of screenshots of the malicious Microsoft Word and Excel files used by the Red October crew:

“We see thousands of similar documents in our systems every month. The Red October attacks are interesting because of the large scale of the espionage done by a single entity, and the long timespan they cover,” F-Secure said in a blog post. “However, the sad truth is that companies and governments are constantly under similar attacks from many different sources.”

Security company Seculert found the Red October attackers were exploiting an ex-zero-day vulnerability in Java, which Oracle patched back in October 2011.

“Looking at the server side source code of the malware payload page, we can see that the attackers are adding a fingerprint at the end of the malware executable, which includes the unique identifier of the targeted victim. This is the same unique identifier which is used by the malware later on while communicating with the C2 servers,” a blog from Seculert read.

Interested by tech and fascinating plots? Try our tech in the movies quiz!