Red October: The hunt for data

The recent discovery of the Red October malware has focused a lot on its effects, but inadequate attention has been given to its purpose – which successfully evaded anti-virus and network intrusion detection systems for at least five years.

The malware contained many of the traditional functions associated with malware, such as key logging. But focusing on these traditional capabilities misses a key point: hijacking local data, such as files and credentials, was the means—but not the end.

Red October contained two interesting aspects:

• Attackers recycled stolen data from victims of the same sector to make their spear phishing emails less suspicious by incorporating some context that would be familiar to the victim.
• Ability to identify and access the important data centres.

The victims of this cyber-espionage operation belonged to the most protected and threat aware sectors – government, energy, aerospace and military. The potential bounty that can be extracted from such victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more.

Rocra, the name of the malware used in the Red October campaign, is APT by the book. It has specific modules for each of the elements needed for an APT attack: Reconnaissance gathering, spreading, persistence maintenance, data extraction and data exfiltration.

Specifically, it has capabilities to access both unstructured data (files) as well as structured data (database records), or as the Kaspersky Labs Report noted, it would “Collect information about installed software, most notably Oracle DB-¦”

What do these modules do? Let’s break down some of them:

• The purpose of the “Recon” modules is to help the attacker find the right data.
• The purpose of the “Exfiltration” modules is to deliver the data to the attacker.

Overall, Rocra’s modules are capable of reaching FTP servers, remote network shares as well as local disk drives and copy files from these resources. Unlike the “Recon” data collection modules which are invoked by the attacker “on demand”, the “Exfiltration” modules are designed to run repeatedly and bring only new valuable data.

The infiltration to the networks and end points of the victims was conducted using vulnerable Excel and Word documents attached to carefully crafted email messages. The attached files recycled stolen data (and therefore context) from other victims of the same sector, making what would otherwise be a suspicious email, a legitimate email. It is reasonable to assume that the identity of the victim was also used to send the email with his positive reputation and appearance.

These targeted social engineering messages (“Spear Phishing”) bypassed “perimeter” security measures.

New software exploits will always be around to help circumvent “perimeter” security measures. DLP solutions were also probably defeated in this attack since Rocra implements a propriety data transmission protocol with the C&C that change both file content and file size.

However, data access patterns are difficult to change. Automation, among other attributes of data access, provides the attacker with speed and volume and cannot be discarded.

Was it possible to detect and prevent the data theft? Yes—had the victims monitored their data more closely rather than just monitoring the network perimeter and endpoints.

Author: Tom Goren Bar, Data Security Researcher at Imperva.