Wednesday, January 16, 2013

Has a Foreign Intelligence Service Been Targeting Russian Embassies?

Yesterday I posed the theory that the Russian Business Network (RBN) was behind the Red October attacks however in the interest of alternative analysis, I'd like to propose a different theory that also fits the facts contained in Kaspersky's report; that a Foreign Intelligence Service has been targeting Russian and CIS embassies.

Kaspersky's FAQ on ROCRA says that it was brought to their attention by a "partner" who prefers to remain anonymous. Considering that the primary target of ROCRA were Russian embassies and government agencies, that un-named partner was most likely the FSB. After all, Kaspersky Labs does significant business with the Russian government according to Noah Shachtman's Wired profile on Eugene Kaspersky:
One of GREAT’s frequent partners in fighting cybercrime, however, is the FSB. Kaspersky staffers serve as an outsourced, unofficial geek squad to Russia’s security service. They’ve trained FSB agents in digital forensic techniques, and they’re sometimes asked to assist on important cases.
The Red October report listed many embassies in multiple countries as victims but didn't identify whether those were Russian embassies or those of other nation states. Since the malware was looking for Cyrillic characters in documents, it makes sense to assume that the target was Russia's embassies in foreign countries. It would be nice if GREAT would confirm or deny whether that was the case.

Many of ROCRA's command and control servers were registered with Russian registrars. However, Russian law and regulations require the registrant to provide accurate contact information and to confirm that information with an authoritative document (something that we in the U.S. should also require, but don't).  Normally this would be a Russian citizen’s internal passport. So the perpetrator was either using compromised documents (Russian passport numbers and tax IDs have been posted on Runet) to obtain domain names or the websites themselves were compromised bots.

As far as which FIS might be responsible, there's no way to say but there's certainly no lack of suspects. The use of Acid Cryptofiler suggests that it might be a NATO or EU member country. 

No comments:

Post a Comment