The Red October espionage malware campaign is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers. Read More ..
The moving parts behind Red October are vast and have been under wraps for the better part of five years, Kaspersky Lab researchers revealed this week. The attackers behind this campaign targeted victims in 39 countries, primarily diplomats, researchers and military facilities among other institutions since August 2007. They stole reams of data and used exploits for known Microsoft vulnerabilities, constantly uploading their loot to a network of 60 command and control servers—a number that rivals the 90-plus domains used by the Flame cyberespionage campaign.
Kaspersky was able to sinkhole a half dozen of those domains and watch over a two-month period 250 unique IP addresses connect more than 55,000 times. What they found was a fascinating mix of tasks mandated by the attackers, some of which remained persistent on compromised machines, while others were one-time operations. Most noteworthy is that attacks were tailored for particular victims, each with a unique identifier that enables the attacker to cobble together a complete picture of the victim’s system configuration, browsing habits and more and manage each attack individually if need be.