Like the fictional nuclear submarine with the same name, the Rocra or Red October computer espionage campaign was designed to escape notice. It operated undetected by most antivirus products until unnamed researchers discovered it five years after it began stealing data on workstations, mobile devices and networking gear. Kaspersky Lab said it was alerted of the Rocra attacks by a partner in October; that’s when it began tracking the campaign’s myriad tentacles, which extended mainly to Eastern Europe, former Soviet nations, and Central Asian countries. In a report released today, Kaspersky described the cybercrime operation as, “still active with data being sent to multiple command-and-control servers through an infrastructure which rivals the complexity of the Flame malware.”
Kaspersky researchers say they haven’t found any connections between Rocra and Flame, but like Flame, the new campaign comprises more than a thousand unique malware files that carry out tasks such as reconnaissance, scanning for new machines to infect, recording keystrokes and screenshots, and capturing data in e-mail and USB drives. According to Kaspersky’s Threatpost blog:
“The command and control infrastructure behind this campaign is made up of 60 domains and a number of server host locations in Russia and Germany, most of which act as proxies in order to hide the true C&C server. Kaspersky said it was able to sinkhole six of the domains and watch them over since Nov. 2. More than 55,000 connections were made to the sinkhole from close to 250 IP addresses. Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus; there are victims in 39 countries.”
This level of sophistication, say the researchers, requires resources that bespeak the participation—or at least the purse strings—of a nation-state. Still, Kaspersky wouldn’t go so far as to make that claim—even though the targets of the attacks, which include oil and gas companies, aerospace and nuclear research firms, and trade and commerce organizations, suggest a country looking to improve its fortunes or gain strategic advantage by getting its hands on proprietary information without paying for it.
What the researchers have discovered is that the three exploits used in the attack—including a cross-site scripting vulnerability that lets an attacker remotely inject Web script or HTML code—were likely developed by Chinese hackers. They deduced that the malware that was subsequently installed on the vulnerable machines was the work of people who speak Russian because one piece of code makes a change needed to render Cyrillic characters. The exploits are not new. Kaspersky says they have been used in previous attacks against targets in Asia. The difference is that the malware delivered this time was tailored to the individual victims.
Like many other online attacks, Rocra spreads when someone unwittingly opens a phishing e-mail containing a document laced with malicious code. In this case, the malware is a Trojan that installs a module capable of scanning the local network for machines vulnerable to the same exploit used by the Conficker worm. The malicious code tries to gain access to still other machines by entering usernames and passwords from its own password database. With each break-in, the stolen password database grows, letting Rocra make better guesses when it is trying to infiltrate new systems. “With Rocra, the attackers managed to stay in the game for over 5 years...while continuing to exfiltrate what must be hundreds of terabytes by now,” Kaspersky said.