Red October is - says Kaspersky - a shadowy group of conspirators leaching data from high-ranking public figures
Kaspersky Lab this week announced that it had found what it described as a shadowy group of hackers who had been harvesting date from various diplomatic, government, and scientific research computer networks. According to the Kaspersky Lab report, the Red October hackers have been specifically targeting high-ranking individuals in public sector roles in so-called 'spear phishing' attacks (targeted phishing). Here's everything you need to know about Red October. Visit Security Advisor.
According to Kaspersky, for five years Red October has been tempting its targets into letting it exploit a number of relatively minor security vulnerabilities in programs such as Microsoft's Excel and Word, as well as poisoned PDFs and Java exploits. The malware then infects PCs, smartphones, and networking kit. See all Security reviews.
According to the Kaspersky report Red October uses at least three exploits created in China. The group behind the attack, however, is Russian - or at least Russian speaking. Given that some of the targets were high-ranking US officials, this led to some speculation about it being politically motivated intelligence gathering. Some reports even suggested that Red October was government-sponsored spying. See also: Kaspersky Lab's "Red October" cyber-espionage saga leaves lots of questions unanswered.
Red October: Your questions answered
It's the sort of story that garners interest outside of the usual tech-security circles, and the other day I was interviewed by a journalist from Defence Report about Red October. Here's a rough transcript of our conversation (and yes, we appreciate it's a little odd to publish an interview with yourself). Here's the full Defence Report story about Red October.
Defence Report: Red October has been active for over five years. Do you feel it should have been detected earlier?
Matt Egan, editor, PC Advisor: It's never good that an active threat isn't detected over a long period of time. But if you consider the threat environment as a whole, there are literally millions of pieces of live malware out there, all of them minor variations on each other. It's almost impossible to recognise every piece of malware - it's much more important to mitigate against the types of behaviours in which they indulge.
It's also worth pointing out that Red October should not be confused with a single, killer piece of malware. Rather it's the actions of a group, using a mixture of different exploits. As such you could no more detect 'it' than you could catch water.
DR: There has been speculation that the virus originated from Russian speaking persons, with Chinese hackers, due to both grammatical errors and the use of Russian slang in the coding. Do you believe this is true or could they have been deliberate Red Herrings?
PCA: It would be surprising if the malware didn't include Chinese and Russian code. Most malware originates from Eastern Europe and the Far East. This is principally an economic phenomenon - in many under-developed economies you can earn more in foreign currency by being involved in cybercrime, than through legitimate coding. Just look at the fees charged for outsourcing.
Malware, like all major code, is often cobbled together from multiple sources these days. Red October isn't even a single piece of malware, more a group of people using various exploits to target specific people and organisations. If Kaspersky says the group is Russian-speaking that is one thing, but the language used in the code is probably not important.
DR: Do you feel this is a state sponsored virus or criminals looking to sell information?
PCA: It's impossible to say, but it could be. Almost all malware is driven by financial motives. When you spot malware the question you should ask is: who is gaining from this? In this case, we don't know the full extent of it. It's possible that Kaspersky has picked up - or even published - only the interesting aspects of Red October. Perhaps Red October has targeted people not in the report?
It's undeniably the case that nations could use malware to disrupt or steal information from other countries. It's almost certainly happening as we speak. But it is impossible to say that Red October is definitely state sponsored.
DR: Could more have been done by top international organizations to protect themselves against such an attack?
PCA: I can't comment on that, but it is concerning that such a group could access data from what should be expert organisations. Most breaches these days are a result of human error, however, and that is difficult to secure against.
DR: If the virus did originate in Russia would that make it more likely that a Russian lab, such as Kaspersky, would find it or was that just a coincidence?
PCA: Not really. Kaspersky is a world leader in unearthing this type of thing. Malware is global.
DR: Do your feel that there are more similar viruses still undetected?
PCA: Again, Red October is not 'a virus', its the actions of a group utilising multiple exploits, delivered using phishing.
There are literally millions of viruses out there. It's impossible to catalogue them all. And even if you do, like organic viruses they mutate rapidly.
DR: As Red October is still active what should agencies do to safeguard their information?
PCA: The delivery method here is 'spear phishing', or targeted phishing. That is, a spoof email or message is used to convince the target to pass on some information, download a file or simply click a link. It relies on human error, so the most important thing is to inform and educate staff members.
There should be a well-known policy guarding against clicking links and downloading files. Make sure the software and hardware-based malware detection is robust and up to date.
There should also be a policy about sharing sensitive data. Certain types of file should simply not be allowed to leave the network, and emails should be scanned for information that shouldn't be allowed to leave the building.
Finally, on a practical level, make sure all Windows devices are up to date and - if possible - disable Java.