17 January 2013

"Red October" Diplomatic Cyber Attacks Investigation

Executive Summary

In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called «Red October» (after famous novel «The Hunt For The Red October»).
This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.
The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment.
The earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013). Besides that, registration data used for the purchase of several Command & Control (C&C) servers and unique malware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.




Main Findings

Advanced Cyber-espionage Network
Unique architecture
Broad variety of targets
Importation of exploits:
Attacker identification

Anatomy of the attack

General description

These attacks comprised of the classical scenario of specific targeted attacks, consisting of two major stages:
  1. Initial infection
  2. Additional modules deployed for intelligence gathering
The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications.
Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers.
Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.
The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as «Acid Cryptofiler», (see https://fr.wikipedia.org/wiki/Acid_Cryptofiler) which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011. All gathered information is packed, encrypted and only then transferred to the C&C server.

.......

Another noteworthy fact is in the first line of this file, which is a command to switch the codepage of an infected system to 1251. This is required to address files and directories that contain Cyrillic characters in their names.
The «LHAFD.GCP» file is encrypted with RC4 and compressed with the "Zlib" library. This file is essentially a backdoor, which is decoded by the loader module (svchost.exe). The decrypted file is injected into system memory and is responsible for communication with the C&C server.
...........


There is a notable module among all others, which is essentially created to be embedded into Adobe Reader and Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system. The module expects a specially crafted document with attached executable code and special tags. The document may be sent to the victim via e-mail. It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document.
.....

Timeline

We have identified over 1000 different malicious files related to over 30 modules of this Trojan kit. Most of them were created between May 2010 and October 2012.
There were 115 file-creation dates identified which are related to these campaigns via emails during the last two and a half years. Concentration of file creation dates around a particular day may indicate date of the massive attacks (which was also confirmed by some of our side observations):
Year 2010
  • 19.05.2010
  • 21.07.2010
  • 04.09.2010
Year 2011
  • 05.01.2011
  • 14.03.2011
  • 05.04.2011
  • 23.06.2011
  • 06.09.2011
  • 21.09.2011
Year 2012
  • 12.01.2012
We used two approaches to identify targets for these attacks. First, we used the Kaspersky Security Network (KSN) and then we set up our own sinkhole server. The data received using two independent ways was correlating and this confirmed objective findings.

........

RUSSIAN FEDERATION35
KAZAKHSTAN21
AZERBAIJAN15
BELGIUM15
INDIA15
AFGHANISTAN10
ARMENIA10
IRAN7
TURKMENISTAN7
UKRAINE6
UNITED STATES6
VIET NAM6
BELARUS5
GREECE5
ITALY5
MOROCCO5
PAKISTAN5
SWITZERLAND5
UGANDA5
UNITED ARAB EMIRATES5
BRAZIL4
FRANCE4
GEORGIA4
GERMANY4
JORDAN4
MOLDOVA4
SOUTH AFRICA4
TAJIKISTAN4
TURKEY4
UZBEKISTAN4
AUSTRIA3
CYPRUS3
KYRGYZSTAN3
LEBANON3
MALAYSIA3
QATAR3
SAUDI ARABIA3
CONGO2
INDONESIA2
KENYA2
LITHUANIA2
OMAN2
TANZANIA2

Countries with more than one infections

From the point of view of country distribution of connections to the sinkhole, we have observed victims in 39 countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.
I.......
Some of the victim organizations were identified using IP addresses and public WHOIS information or remote system names.
Most «interesting» out of those are:
Algeria - Embassy
Afghanistan - Gov, Military, Embassy,
Armenia - Gov, Embassy
Austria - Embassy
Azerbaijan - Oil/Energy, Embassy, Research,
Belarus - Research, Oil/Energy, Gov, Embassy
Belgium - Embassy
Bosnia and Herzegovina - Embassy
Botswana - Embassy
Brunei Darussalam – Gov
Congo – Embassy
Cyprus - Embassy, Gov
France - Embassy, Military
Georgia - Embassy
Germany - Embassy
Greece – Embassy
Hungary -Embassy
India – Embassy
Indonesia - Embassy
Iran – Embassy
Iraq – Gov
Ireland - Embassy
Israel - Embassy
Italy -Embassy
Japan - Trade, Embassy
Jordan - Embassy
Kazakhstan - Gov, Research, Aerospace, Nuclear/Energy, Military
Kenya - Embassy
Kuwait - Embassy
Latvia - Embassy
Lebanon - Embassy
Lithuania - Embassy
Luxembourg - Gov
Mauritania - Embassy
Moldova - Gov, Military, Embassy
Morocco - Embassy
Mozambique - Embassy
Oman - Embassy
Pakistan - Embassy
Portugal - Embassy
Qatar - Embassy
Russia - Embassy, Research, Military, Nuclear/Energy
Saudi Arabia - Embassy
South Africa - Embassy
Spain - Gov, Embassy
Switzerland - Embassy
Tanzania - Embassy
Turkey - Embassy
Turkmenistan - Gov, Oil/Energy
Uganda - Embassy
Ukraine - Military
United Arab Emirates - Oil/Energy, Embassy, Gov
United States - Embassy
Uzbekistan - Embassy

............


For instance, a top level XLS dropper presumably used against a Polish target, named “Katyn_-_opinia_Rosjan.xls” contains the hardcoded victim ID “F50D0B17F870EB38026F”. A similar XLS named “tactlist_05-05-2011_.8634.xls / EEAS New contact list (05-05-2011).xls” possibly used in Moldova contains a victim ID “FCF5E48A0AE558F4B859”.




Click here to read more ....

No comments:

Post a Comment