London, UK – 9 February 2013

By Mark Collinson

Updated – 25 February 2013

Meagre pay for Russian and Chinese programmers linked to Red October malware attack

Economic hardship is the driving force behind the complex and destructive “Red October” or “Rocra” virus that originated in the former Soviet Union. Experts say it has already successfully attacked high level military and diplomatic targets around the world. The high level spying campaign was uncovered by Russian internet security firm, Kaspersky Security Network (KSN). Working undetected for nearly five years, the campaign is believed to have targeted top level diplomats, research institutes, governing bodies, oil and gas companies, nuclear research centres, and military and aerospace.


Photo left: Server Bank “Red October has systematically targeted both civilian and military critical infrastructure and sensitive data”

In a public statement, Kaspersky revealed that the virus’ main objective was the gathering of sensitive documents from the compromised organisations. This included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment. The Moscow based IT Security company also reports to have found “several hundred infected systems,” with the vast majority being in the former Soviet Union and Eastern Europe.

Russia has the highest number of infections with 35 sites, but they have also been found in limited numbers throughout Western Europe and North America. While the full impact of the virus network still remains unknown, experts say the origins of its creation are a direct result of very tangible socio-economic problems. “Most (malware) comes from either Eastern Europe or the Far East, and this is principally because of economic reasons,” said Matt Egan, Editor of PC Advisor. “If you are a talented software programmer and you live in Russia or China, you can make more money programming viruses than you can doing outsourced work for western countries,” Egan told DefenceReport.

Large scale malware methodology

According to Kaspersky, which provides computer defence systems to some 300 million users worldwide, Rocra is designed to exploit vulnerabilities in Microsoft Word, Excel and PDF Documents. It is primarily transmitted through “spear phishing” emails that appear to the recipient to be from a legitimate source in the hope of tricking them into revealing confidential data or by encouraging them to click on a link.

Once the link has been opened or an infected URL visited, the embedded malicious code initiates a setup with the command and control server which then allows a number of spy modules to infiltrate the system and begin vacuuming data. The unique coding used in Rocra also means that the attack can be re-activated even after it has been removed from infected systems by simply sending an email. A labyrinth of more than 60 domain names were used to hide, what Kaspersky call, the “true mother ship” with hosting locations found in Germany and Russia among other countries. The data collected could be anything from statistics to personal details which is then used to guess passwords and gain access to confidential information.

The origins of the attack are still officially unknown, though Kaspersky maintains that the attackers have Russian-speaking origins due to the number of Russian and Chinese words used in the coding. One of the most striking of these is “proga” – a Russian slang word meaning “programme” or “application”. Experts say this is significant as it is not known to have been used in any software other than that created by Russian programmers.

Programmer motivations and repercussions

Those like Matt Egan say that the evolution of virus-based malware is accelerating. According to experts, when the potential gains outweigh the risks then these developments will continue to follow an explosive trajectory. And while geographically co-locating malware signatures and physical hardware is possible, finding the people responsible is exceedingly challenging for state authorities.

IT experts suggest Red October is not likely to be a state sponsored attack, particularly in light of recent similar intrusions in Iran’s critical energy infrastructure networks. Iran and several Middle East countries were affected by similar malware – labelled the Flame virus. It forced Iran’s Ministry of Oil offline, and many western leaders credited the US for its creation and distribution. Critics also say it remains unlikely the culprits behind the Rocra malware will be found, nor is it likely that the details of the stolen data will be known.

However, the focus is now on the organisations that handle sensitive national data and their security protocols. Experts say companies should have stringent security measures in place that should, at the very least, minimise the risk. “This is much less about the software itself and more about all these organisations, who really should know better, that apparently do not have any policy to record when they are losing important information. There should also certainly be a policy in place that says staff are not allowed to click links or download word documents,” said Egan.

Symantec Security, who operate Norton Security, told DefenceReport that they were aware of the Red October threat and have detection and protection for its customers in place. Some will see this as too little too late, however, as experts estimate that as many as five terabytes of information have already been removed from infected systems Kaspersky has said they have begun to uncover some details highlighting the quantity and type of data lost, but experts say the true scope of the damage has yet to be revealed. They add that the scale of data compromise will only be truly understood when high value captured data is finally released on the black market for sale or swap. Such transactions would only seemingly reinforce the economic model many ‘black hat’ hackers and malware designers in China and the former Soviet Union have turned to – digital espionage that pays well while promising little risk of detection, much less capture.

The following refused to comment to DefenceReport on the Red October virus: Russian government spokesmen, Russian Embassy spokesmen in London, Kaspersky Labs and McAfee Labs.

Correction – Spelling of the name ‘Matt Egan’ has been corrected.

Feature photo / “Terminal work” – Creative Commons ‘CD’

Inset photo / “Server Bank” – CERN

By Mark Collinson

Mark is a London based security reporter specialising in cyber and network warfare and security.