Operation Red October or Red October was a cyberespionage malware program discovered in October 2012 and uncovered in January 2013 by Russian firm Kaspersky Lab. The malware was reportedly operating worldwide for up to five years prior to discovery, transmitting information ranging from diplomatic secrets to personal information, including from mobile devices. The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel. [1] [2] Later, a webpage was found that exploited a known vulnerability in the Java browser plugin. [1] [3] Red October was termed an advanced cyberespionage campaign intended to target diplomatic, governmental and scientific research organizations worldwide.
A map of the extent of the operation was released by the Kaspersky Lab – the "Moscow-based antivirus firm that uncovered the campaign." [4]
After being revealed, domain registrars and hosting companies shut down as many as 60 domains, used by the virus creators to receive information. The attackers, themselves, shut down their end of the operation, as well. [ citation needed ]
The perpetrator of the operation has not been conclusively determined but it appeared to have been in operation on some level since May 2007 at the latest. According to Kaspersky Lab, Russian slang words were found in the code which would be "generally unknown to non-native Russian speakers." However, the program also appeared to be built on existing exploits developed by Chinese hackers and previously used against Tibetan activists. [4]
Country | Government | Embassy (Diplomatic) | Military | Nuclear / Energy Research | Aerospace | Oil & Gas Industry | Trade and Commerce | Research Institutions | Unknown Victims |
---|---|---|---|---|---|---|---|---|---|
United States | No | Yes | No | No | No | No | No | No | No |
Russia | No | Yes | Yes | Yes | No | No | No | Yes | No |
Belarus | Yes | Yes | Yes | Yes | No | Yes | No | Yes | No |
Kazakhstan | Yes | Yes | Yes | Yes | Yes | No | No | No | No |
United Arab Emirates | Yes | Yes | No | Yes | No | Yes | No | No | No |
Azerbaijan | No | Yes | No | Yes | No | Yes | No | Yes | No |
Turkmenistan | Yes | No | No | Yes | No | Yes | No | No | No |
Afghanistan | Yes | Yes | Yes | No | No | No | No | No | No |
Moldova | Yes | Yes | Yes | No | No | No | No | No | No |
France | No | Yes | Yes | No | No | No | No | No | No |
Spain | Yes | Yes | No | No | No | No | No | No | No |
Armenia | Yes | Yes | No | No | No | No | No | No | No |
Cyprus | Yes | Yes | No | No | No | No | No | No | No |
Iraq | Yes | No | No | No | No | No | No | No | No |
Brunei | Yes | No | No | No | No | No | No | No | No |
Luxembourg | Yes | No | No | No | No | No | No | No | No |
India | No | Yes | No | No | No | No | No | No | No |
Uganda | No | Yes | No | No | No | No | No | No | No |
Pakistan | No | Yes | No | No | No | No | No | No | No |
Oman | No | Yes | No | No | No | No | No | No | No |
Saudi Arabia | No | Yes | No | No | No | No | No | No | No |
Italy | No | Yes | No | No | No | No | No | No | No |
Portugal | No | Yes | No | No | No | No | No | No | No |
Morocco | No | Yes | No | No | No | No | No | No | No |
Israel | No | Yes | No | No | No | No | No | No | No |
Jordan | No | Yes | No | No | No | No | No | No | No |
Greece | No | Yes | No | No | No | No | No | No | No |
Ireland | No | Yes | No | No | No | No | No | No | No |
Belgium | No | Yes | No | No | No | No | No | No | No |
Germany | No | Yes | No | No | No | No | No | No | No |
Hungary | No | Yes | No | No | No | No | No | No | No |
Mauritania | No | Yes | No | No | No | No | No | No | No |
Congo | No | Yes | No | No | No | No | No | No | No |
South Africa | No | Yes | No | No | No | No | No | No | No |
Botswana | No | Yes | No | No | No | No | No | No | No |
Mozambique | No | Yes | No | No | No | No | No | No | No |
Tanzania | No | Yes | No | No | No | No | No | No | No |
Kenya | No | Yes | No | No | No | No | No | No | No |
Lithuania | No | Yes | No | No | No | No | No | No | No |
Latvia | No | Yes | No | No | No | No | No | No | No |
Turkey | No | Yes | No | No | No | No | No | No | No |
Iran | No | Yes | No | No | No | No | No | No | No |
Uzbekistan | No | Yes | No | No | No | No | No | No | No |
Kuwait | No | Yes | No | No | No | No | No | No | No |
Switzerland | No | Yes | No | No | No | No | No | No | No |
Lebanon | No | Yes | No | No | No | No | No | No | No |
Austria | No | Yes | No | No | No | No | No | No | No |
Georgia | No | Yes | No | No | No | No | No | No | No |
Bosnia & Herzegovina | No | Yes | No | No | No | No | No | No | No |
Serbia | No | No | No | No | No | No | No | No | Yes |
Finland | No | No | No | No | No | No | No | No | Yes |
Czech Republic | No | No | No | No | No | No | No | No | Yes |
Slovakia | No | No | No | No | No | No | No | No | Yes |
Macedonia | No | No | No | No | No | No | No | No | Yes |
Albania | No | No | No | No | No | No | No | No | Yes |
Mali | No | No | No | No | No | No | No | No | Yes |
Australia | No | No | No | No | No | No | No | No | Yes |
Chile | No | No | No | No | No | No | No | No | Yes |
Brazil | No | No | No | No | No | No | No | No | Yes |
Ethiopia | No | No | No | No | No | No | No | No | Yes |
Bulgaria | No | No | No | No | No | No | No | No | Yes |
Bahrain | No | No | No | No | No | No | No | No | Yes |
Slovakia | No | No | No | No | No | No | No | No | Yes |
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.
Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.
Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a blog post, the attacks began in mid-2009 and continued through December 2009.
An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.
Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.
Seculert is a cloud-based cyber security technology company based in Israel. The company's technology is designed to detect breaches and Advanced Persistent Threats (APTs), attacking networks. Seculert's business is based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.
Careto, sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking.
Turla or Uroboros is a Trojan package that is suspected by computer security researchers and Western intelligence officers to be the product of a Russian government agency of the same name.
Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.
Carbanak is an APT-style campaign targeting financial institutions, that was discovered in 2014 by the Russian cyber security company Kaspersky Lab. It utilizes malware that is introduced into systems running Microsoft Windows using phishing emails, which is then used to steal money from banks via macros in documents. The hacker group is said to have stolen over 900 million dollars, from the banks as well as from over a thousand private customers.
The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.
An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.
NetTraveler or TravNet is spyware that dates from 2004 and that has been actively used at least until 2016, infecting hundreds of often high-profile servers in dozens of countries.
Havex malware, also known as Backdoor.Oldrea, is a RAT employed by the Russian attributed APT group “Energetic Bear” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.
Candiru is a Tel Aviv-based technology company offering surveillance and cyberespionage technology to governmental clients.