Operation Red October

Mario Rojas Chinchilla
5 min readSep 19, 2023

--

As a kid, I remember rushing back home after school to watch as spies on TV would put on disguises and pull off the most elaborate heists to swipe some top-secret, world-threatening information.

Even today, every other show has at least one scene where someone uses a USB drive to download confidential information, always just a heartbeat away from getting caught. But nowadays, cybercriminals get to launch cyberattacks and espionage operations from the safety of their homes.

The Attacks

At the end of 2012, Kaspersky discovered a series of cyberattacks that were unlike anything else the world had seen. They were highly sophisticated, efficiently targeted, and had been active for at least five years without anyone knowing. The campaign became known as “Operation Red October” or Rocra for short.

The first thing we must understand about the Red October attacks is that they were not designed to be flashy or showy like the ones we would watch in the movies. Instead, the attackers focused on stealth and persistence.

The Targets

Rocra managed to infiltrate almost 400 government entities, including diplomatic and scientific research operations, nuclear and energy research groups, embassies, and oil and gas companies.

They managed to do this in more than 35 countries, gathering intelligence from computers, mobile phones, routers, and other network equipment in the most successful way possible without the victims ever having a clue.

Here’s a list of some of the Countries with the most infections as of January 2013, according to Kaspersky

The Tactics, Techniques, and Procedures (TTPs)

To infect the victims, Rocra used spear-phishing attacks. They sent emails with subject lines and text bodies tailored to each target from the mailboxes of already infected organizations. The emails contained malicious Excel and Word documents, which included exploits for previously known vulnerabilities like CVE-2009–3129 (MS Excel), CVE-2010–3333 (MS Word), and CVE-2012–0158 (MS Word). Once the recipient opened the attachment, a trojan was installed on their devices.

The Rocra malware stood out for its versatility — almost like a digital Swiss Army knife, it did a bit of everything. From taking files, emails, screenshots, and passwords to logging keystrokes and even extracting web browsing history, calendars, call logs, and text messages from smartphones. If the malware happened to be discovered and removed, it contained a “resurrection” module (embedded in Adobe Reader and Microsoft Installations) that allowed the attackers to regain access to the system and activate the malware again by simply sending a new email to the victims.

To control the compromised systems, the attackers set up over 60 domains and several VPS (Virtual Private Servers) across multiple countries, mainly Germany and Russia.

Below is an overview of what Rocra’s command and control infrastructure looked like, as per Kaspersky.

Taken from https://securelist.com/the-red-october-campaign/57647/

These servers functioned as proxies, cleverly concealing the location of the central control server. Equipped with over 1,000 modules, Rocra was able to customize its approach to each machine’s unique configuration. At one point, it was estimated that over seven terabytes of data had been stolen, including encrypted files and decryption keys used by the European Union and NATO.

Attribution

At this point, you are probably wondering, who did it, and did they get away with it? Well, attribution and motivation are not always clear-cut with cybercriminals. A few interesting factors that complicate attribution are that the exploits appear to have been created by Chinese hackers while Russian-speaking operatives developed the Rocra malware modules.

Many experts believed it was a nation-state-sponsored initiative because Red October strategically targeted vital infrastructure sectors such as nuclear, energy, aerospace, and military. Additionally, Red October was highly complex and costly but did not stand to make substantial financial gains. The focus of the operation was always maintaining long-term access to governmental and industrial classified information.

The End?

Once Kaspersky Labs began reporting on Red October, hosting providers and domain owners began shutting down infrastructure linked to the campaign. But operations like Red October don’t just go away; they hide and wait.

In 2014, Kaspersky researchers identified parallels between Red October and a new malware called Cloud Atlas. This new malware utilized similar spear-phishing tactics and even targeted some of the same machines previously infected by Red October. That left me thinking they wouldn’t still be using the same 20+ year old vulnerabilities, right?

I used the CVE Prioritizer tool to collect recent and relevant scores like CVSS, EPSS, and CISA Kev. To my surprise, not only are the CVEs part of the CISA’s Known Exploited Vulnerabilities Catalog, but they have a very high EPSS (Exploit Prediction Scoring System) score, which means there’s a high chance of these being exploited within the next 30 days.

Since the scores are pretty high, I checked the historic EPSS scores for each vulnerability since March 2021. To understand if these have recently increased or if they have had the same score since their introduction to EPSS.

As we can see on the graph, the scores for each of the CVEs have increased in the last few months. These could be simply the result of First.org updating the EPSS scoring models, or could it be a sign of something bigger? Are the operatives behind Rocra still looking for these vulnerabilities? Can the vulnerabilities still be found in the wild? Probably not, but you never know. Rocra may still be lurking in the networks of organizations running legacy systems.

Please join me in this series as I look back on some of the most notorious and influential cyber attacks of all time.

--

--

Mario Rojas Chinchilla
Mario Rojas Chinchilla

Written by Mario Rojas Chinchilla

14+ years in cyber security, threat intelligence, OSINT & darkweb investigations. Uncovering threats & protecting organizations. fueled by coffee and cookies

No responses yet