An Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide
PETALING JAYA, 15 JANUARY 2013
Attackers Created Unique, Highly-Flexible Malware to Steal Data and Geopolitical Intelligence from Target Victims’ Computer Systems, Mobile Phones and Enterprise Network Equipment
Today Kaspersky Lab published a new research report which identified an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years. The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America. The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
In October 2012 Kaspersky Lab’s team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation. According to Kaspersky Lab’s analysis report, Operation Red October, called “Rocra” for short, is still active as of January 2013, and has been a sustained campaign dating back as far as 2007.
Main Research Findings
________________________________________
Red October’s Advanced Cyber-espionage Network: The attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The Red October attackers designed their own malware, identified as “Rocra,” that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.
The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.
To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the ‘mothership’ control server.
Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the “acid*” extensions appears to refer to the classified software “Acid Cryptofiler”, which is used by several entities, from the European Union to NATO.
Infecting Victims
To infect systems the attackers sent a targeted spear-phishing email to a victim that included a customized Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed in the document used by Rocra was the embedded executable, which the attackers replaced it with their own code. Notably, one of the commands in the Trojan dropper changed the default system codepage of the command prompt session to 1251, which is required to render Cyrillic fonts.
Targeted Victims & Organizations
Kaspersky Lab’s experts used two methods to analyze the target victims. First, they used detection statistics from the Kaspersky Security Network (KSN) which is the cloud-based security service used by Kaspersky Lab products to report telemetry and deliver advanced threat protection in the forms of blacklists and heuristic rules. KSN had been detecting the exploit code used in the malware as early as 2011, which enabled Kaspersky Lab’s experts to search for similar detections related to Rocra. The second method used by Kaspersky Lab’s research team was creating a sinkhole server so they could monitor infected machines connecting to Rocra’s C2 servers. The data received during the analysis from both methods provided two independent ways of correlating and confirming their findings.
• KSN statistics: Several hundred unique infected systems were detected by the data from KSN, with the focus being on multiple embassies, government networks and organizations, scientific research institutes and consulates. According to KSN’s data, the majority of infections that were identified were located primarily in Eastern Europe, but other infections were also identified in North America and countries in Western Europe, as Switzerland and Luxembourg.
• Sinkhole statistics: Kaspersky Lab’s sinkhole analysis took place from November 2, 2012 – January 10, 2013. During this time more than 55,000 connections from 250 infected IP addresses were registered in 39 countries. The majority of infected IP connections were coming from Switzerland, followed by Kazakhstan and Greece.
Rocra malware: unique architecture and functionality
The attackers created a multi-functional attack platform that includes several extensions and malicious files designed to quickly adjust to different systems’ configurations and harvest intelligence from infected machines. The platform is unique to Rocra and has not been identified by Kaspersky Lab in previous cyber-espionage campaigns. Notable characteristics include:
• “Resurrection” module: A unique module that enables the attackers to “resurrect” infected machines. The module is embedded as a plug-in inside Adobe Reader and Microsoft Office installations and provides the attackers a foolproof way to regain access to a target system if the main malware body is discovered and removed, or if the system is patched. Once the C2s are operational again the attackers send a specialized document file (PDF or Office document) to victims’ machines via e-mail which will activate the malware again.
• Advanced cryptographic spy-modules: The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as Acid Cryptofiler, which is known to be used in organizations of NATO, the European Union, European Parliament and European Commission since the summer of 2011 to protect sensitive information.
• Mobile Devices: In addition to targeting traditional workstations, the malware is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia and Windows Mobile). The malware is also capable of stealing configuration information from enterprise network equipment such as routers and switches, as well as deleted files from removable disk drives.
Attacker identification: Based on the registration data of C2 servers and the numerous artifacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins. In addition, the executables used by the attackers were unknown until recently, and were not identified by Kaspersky Lab’s experts while analyzing previous cyber-espionage attacks.
Kaspersky Lab, in collaboration with international organizations, law enforcement agencies and Computer Emergency Response Teams (CERTs) is continuing its investigation of Rocra by providing technical expertise and resources for remediation and mitigation procedures.
Kaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT for their assistance with the investigation.
The Rocra malware is successfully detected, blocked and remediated by Kaspersky Lab’s products, classified as Backdoor.Win32.Sputnik.
Read the full research report of Rocra by Kaspersky Lab’s experts at Securelist.com.
卡巴斯基实验室发现全球范围内针对外交和政府机构的高级网络间谍攻击——“红色十月”行动
攻击者会创建独特和灵活多样的恶意软件,从受害者计算机系统、手机设备和企业网络设备窃取数据和地缘政治情报。
八打灵再也16日讯
今天,卡巴斯基实验室发布了一项最新的研究报告。宣布发现一起历时至少五年的针对多个国家的外交、政府和科研组织的网络间谍攻击行动。这次攻击行动的主要目标是东欧地区某些国家、前苏联国家和中亚一些国家,但是其受害者范围很广,还包括西欧和北美地区国家。攻击者的发动攻击的主要目的是收集上述组织的敏感档案,包括地缘政治情报、访问加密计算机系统的授权以及来自个人移动设备和网络设备的数据。
2012年10月,卡巴斯基实验室的安全专家发起了一项关于一系列针对国际外交服务机构的计算机网络攻击调查。调查过程中,我们发现了一个大规模网络间谍网络,并对其进行了分析。根据卡巴斯基实验室的分析报告,红色十月行动(简称为Rocra)最早可追溯到2007年,并且到2013年1月仍处于活动状态。
主要研究发现
________________________________________
红色十月高级网络间谍网络: 攻击者至少从2007年就开始活动,主要集中针对全球多个国家的外交和政府机构发动攻击。此外,一些研究学院、能源和核能机构以及贸易和航天机构同样成为攻击目标。红色十月的攻击者设计出自己的恶意软件,被称为“Rocra”。这种恶意软件具有自身独特的模块架构,由恶意扩展、窃取信息的模块以及后门程序组成。
攻击者经常利用从受感染网络获取到的信息,获取其他系统的访问权限。例如,窃取到的验证信息会被收集到一个列表中,攻击者需要猜测密码或口令访问其他系统时,会利用这些收集到的信息。
为了控制受感染计算机网络,攻击者创建了超过60个域名,并且在多个国家设有服务器托管。其中大部分位于德国和俄罗斯。卡巴斯基实验室对Rocra的命令和控制(C2)基础设施分析后发现,大量的服务器其实只是充当代理服务器,目的是隐藏真实“母舰”控制服务器的真实地理位置。
攻击者从受感染系统窃取的信息包括各类文档,其扩展名包含: txt, csv, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr 和 acidssa。尤其 “acid*”扩展名的文件,是一种机密软件“Acid Cryptofiler”所使用的文件。该软件被欧盟和NATO多个机构所使用。
感染受害者
为了感染系统,攻击者会向受害者发送一封针对性的鱼叉式网络钓鱼邮件,其中包含定制好的木马下载器。为了将恶意软件安装并感染系统,恶意电子邮件中包含漏洞利用程序,能够利用系统中安装的微软Office软件漏洞发动攻击。钓鱼邮件中的文档包含的漏洞利用程序由其他攻击者所创建,并被用在不同的网络攻击行动中,包括亚洲地区针对军事设施和能源设施的攻击。Rocra攻击中所使用文档唯一的不同,是攻击者修改了其中的嵌入可执行代码,将其替换成自己开发的代码。值得注意的是,木马下载器中的一个命令将命令提示符的默认系统代码页更改为1251,从而利用Cyrillic字体来渲染。
遭受攻击的受害者和组织
卡巴斯基实验室的安全专家使用两种手段分析受害用户。首先,使用整合于卡巴斯基实验室产品的基于云的安全服务——卡巴斯基安全网络(KSN)收集到的检测统计数据,生成感染遥测数据,并以黑名单和启发式检测规则形式提供高级威胁保护。卡巴斯基安全网络发现,恶意软件中使用的漏洞利用程序代码早在2011年就被使用,使得卡巴斯基实验室安全专家可以查找同Rocra类似的感染。卡巴斯基实验室研究团队使用的第二种手段,是创建一个排污服务器(sinkhole server),监控连接到Rocra命令和控制服务器上的受感染计算机。通过两种分析手段收集到的数据,能够从两个角度确认我们的发现。
• 卡巴斯基安全网络统计数据: 卡巴斯基安全网络检测到的数据中,有多达几百个不同系统被感染,这些被感染系统主要来自大使馆、政府网络和组织、科研机构以及领事馆。根据KSN数据,大多数感染主要位于东欧,但是同样也发现北美和西欧一些国家系统被感染,例如瑞士和卢森堡。
• 排污服务器统计数据: 卡巴斯基实验室的排污分析从2012年11月2日到2013年1月10日。期间,我们共监测到来自250个受感染IP地址进行了超过55,000次连接。这些受感染IP地址来自39个国家。其中大部分受感染IP连接来自瑞士,其次则为哈萨克斯坦和希腊
Rocra恶意软件:独特的架构和功能
攻击者创建了一个多功能的攻击平台,包括多个扩展和恶意文件,能够用速适应不同系统的配置,从受感染计算机收集情报。Rocra的平台非常特殊,卡巴斯基实验室在之前的网络间谍攻击调查中没有发现这一平台。该攻击平台包含以下特征:
• “复活”模块: 这一独特的模块可以让攻击者“复活”受感染计算机。该模块以插件形式被嵌入Adobe Reader和微软Office安装中。能够让攻击者很容易获取被攻击系统的访问权,即使系统上的恶意软件被发现和清除,或者系统修补了安全漏洞。一旦命令和控制服务器开始运行,攻击者会向受感染计算机发送电子邮件,其中包含一个特殊的文件(PDF或Office文档),从而再次激活恶意软件。
• 高级加密间谍模块: 间谍模块的主要目的是窃取信息。这些信息包括多种加密系统的文件,例如 Acid Cryptofiler。该加密系统从2011年夏季开始被NATO组织、欧盟、欧盟议会和欧盟委员会使用,用于保护敏感信息。
• 移动设备: 除了针对传统的工作站发动攻击外,Rocra恶意软件还能够从移动设备窃取数据,例如智能手机(iPhone、Nokia和Windows Mobile)。该恶意软件还能够从企业网络设备如路由器和交换机窃取配置信息,还能够删除可移动存储设备上的文件。
攻击者身份: 根据命令和控制服务器的注册数据和恶意软件可执行代码,我们有充分技术证据表明攻击者来自俄语国家。此外,攻击者所使用的可执行文件直到最近才被发现,卡巴斯基实验室在调查之前的网络间谍攻击行动中,并没有发现这一恶意软件。
卡巴斯基实验室将同多个国际组织、执法机关和计算机应急响应团队(CERTs)携手,继续对Rocra进行调查。提供响应的技术支持和资源,修复其感染造成的危害。
卡巴斯基实验室在此对美国CERT、罗马尼亚CERT和白俄罗斯CERT在调查中给予的大力协助表示感谢。
卡巴斯基实验室的产品已经能够成为检测和拦截Rocra恶意软件,并修复受感染系统。该恶意软件被卡巴斯基产品检测为Backdoor.Win32.Sputnik。
想要阅读卡巴斯基实验室发布的Rocra研究报告全文,请访问: Securelist.com.
No comments:
Post a Comment