Red October Spy Network Goes Dark Hours After Being Exposed

Chris Dougherty
VirtualThreat Contributing Writer

The command and control servers behind the ‘Red October’ espionage network started shutting down only hours after the campaign was exposed by Kapersky Lab last week.

The Red October malware campaign targeted governments, embassies and scientific organizations around the world. According to researchers at Kapersky Lab, the spy network had been gathering data and intelligence from mobile devices, computer systems and network equipment for the last five years.

See related article: http://www.virtualthreat.com/2013/01/15/operation-red-october-is-spying-on-governments-worldwide/

The malware, and the complex network design behind it, is rumored to rival the infrastructure of the Flame virus.  The Red October malware contains 1,000 separate modules in 30 categories, allowing an attacker the ability to serve unique combinations of payloads to their targets based on the victim’s specific computer configuration and profile.

In an interview with Costin Raiu, of the Kaspersky Lab GReAT Team,  Raiu said “since Monday, when the first report of the campaign came out, hosting providers and domain owners have been shutting down servers used to help run the campaign”.

“It’s clear that the infrastructure is being shut down. This time it’s being shut down for good,” Raiu said. “It’s not only the registrars killing the domains, and the hosting providers killing the command-and-control servers, but perhaps the attackers shutting down the whole operation.”

One of Red October’s strengths is a command and control (C&C) infrastructure that employs multiple layers of computers and domain names acting as proxies to hide the core functionality of the network.  Raiu was quoted as describing the network design as “an onion with multiple skins”, communicating to a control server at the center that collects all of the stolen information.

Raiu went on to say that the majority of the servers and domains shut down so far only represent the first level of the threat, essentially the proxy layer.  He also speculated that the malware controllers may simply let the operation go dormant for a while until the heat is off. However it seems likely that the attackers would reappear in the near future using updated malware, domains and control servers.

Red October is a large and comprehensive attack framework that was designed to enable attackers to conduct long-term operations against their chosen targets. It’s likely that researchers haven’t even scratched the surface with regard to the complexities involved in this campaign.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.