The hunt for ‘Red October’ is finally over according to malware researchers at Kaspersky Labs

The hunt for a major cyber-attack that could have been stealing confidential documents since 2007 is finally over after the Red October malware was discovered by researchers at Russia’s Kaspersky Labs. The malware had been targeting government institutions, embassies, oil and gas institutions and nuclear research centres. Red October, named after the Russian submarine featured in the Tom Clancy novel The Hunt For Red October, was designed to steal encrypted files, and was so sophisticated that it was even able to recover files that had been deleted. Experts are hailing the discovery as ‘very significant’.

According to Professor Alan Woodward from the University of Surrey, the malware differed from others in that it targeted very specific encrypted files. Speaking to the BBC, the professor claimed:

“It appears to be trying to suck up all the usual things – word documents, PDFs, all the things you’d expect: but a couple of the file extensions it’s going after are very specific encrypted files.”

Although the primary focus of the malware was targeted at counties in Eastern Europe, former USSR Republics, and countries in Central Asia, its victims could be found everywhere, including Western Europe and North America, according the chief malware researcher at Kaspersky Labs, Vitaly Kamluk:

“The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.”

“We initiated our checks and quite quickly understood that it was a massive cyber-attack campaign. There were a quite limited set of targets that were affected – but they were carefully selected. They seem to be related to some high-profile organisations.”

Red October malware is similar in many ways to Flame, another cyber-attack discovered last year. Like Flame, Red October is made up of several distinct modules, which each have a set objective. But unlike other major cyber-attacks like Stuxnet, it is not believed to have caused any physical damage to infrastructure, and concentrated solely on stealing information.

What made Red October so insidious in Professor Woodward’s opinion, was that it had an inherent ability to hide itself on machines to avoid detection:

“If it’s discovered, it hides. When everyone thinks the coast is clear, you just send an email and ‘boof’ it’s back and active again.”

Like most malware attacks, there are some clues about its origin, but security experts have warned that these could actually be double-bluffs; in other words simply attempts to throw investigators off the real scent. Mr Kamluk told the BBC that the code was littered with broken, Russian-influenced English, though others have suggested that this too could be another double-bluff to conceal the truth. Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses. Effectively what this means is that large numbers of computers were infected in single locations – possibly government buildings or facilities. Kaspersky Labs will publish a 100-page report about the malware in the next week or two.

If your business needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044 072 or [email protected].