RBN Connection to Kaspersky's Red October Espionage Network
Kaspersky made an astonishing announcement today with its discovery of a sophisticated cyber espionage network (most likely Russian) that has been operating since May 2007 and continues to this day. It has successfully infiltrated embassies, research organizations, military and government agencies, energy facilities (including nuclear power plants) predominantly in the Commonwealth of Independent States, India and countries in Central Asia, among many others.
The developers behind this campaign have built a toolkit similar to Flame but more sophisticated which Kaspersky researchers have named ROCRA (short for Red October). Some of the key functionalities which make this toolkit stand out as unique are:
The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a 't'. I ran 13 IPs listed in Kaspersky's report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:
Malicious servers
178.63.208.49 matches to 178.63.
188.40.19.247 matches to 188.40.
78.46.173.15 matches to 78.46.
88.198.30.44 matches to 88.198.
Mini-motherships
91.226.31.40 matches to 91.226.
It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.
Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it's going to be one of the most important discoveries of the decade.
The developers behind this campaign have built a toolkit similar to Flame but more sophisticated which Kaspersky researchers have named ROCRA (short for Red October). Some of the key functionalities which make this toolkit stand out as unique are:
According to Kaspersky's report, the oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012. The November, 2007 date immediately rang a bell in my memory as the date that the Russian Business Network went dark (November 4, 2007) and temporarily moved operations to China. Then, after a few weeks, they disappeared again.
- The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.
- The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
- Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.
The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a 't'. I ran 13 IPs listed in Kaspersky's report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:
Malicious servers
178.63.208.49 matches to 178.63.
188.40.19.247 matches to 188.40.
78.46.173.15 matches to 78.46.
88.198.30.44 matches to 88.198.
Mini-motherships
91.226.31.40 matches to 91.226.
It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.
Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it's going to be one of the most important discoveries of the decade.
1. Rocra isn't old malware, Chinese or otherwise. Its its own malware. It uses old techniques and vulnerabilities, but that isn't the same thing.
ReplyDelete2. Using known malware and/or vulnerabilities is something that many people do. Most people don't develop entirely new malware for every attack. It isn't so rare a methodology that its use can be used to attribute anything to one group.
3. RBN was a bullet proof hosting provider. While RBN customers and some RBN associates did use preexisting malware and vulns, this doesn't mean that it was something that RBN itself did much of. Even if it was everything that RBN did, it wouldn't prove that a new case of using known malware or exploits was the work of RBN because almost everyone does it at some point.
2. One of the vulnerabilities used came from Metasploit, another from a US company. Not China. All of them were used in unrelated attacks after they became public.
3. RBN was a hosting provider for criminals. All that finding the use of RBNs IPs for a small number of early domains proves is that the Rocra attackers used a service aimed at people doing illegal things online.
4. Stating that RBN in fact never went away and is in fact spent the past 5+ years being super underground working in a partnership with the FSB is big statement to make without any proof.
Hi Minna, thanks for your comment. The RBN's continued existence isn't a novel concept nor is the fact that Russian intelligence has worked with Russian organized crime for many years. I spent a good portion of chapter 8 in my book Inside Cyber Warfare detailing information and sources for both.
ReplyDeleteRegarding Rocra, I didn't call it old or new malware. I called it a toolkit, similar to Flame which is how Kaspersky described it.
Regarding the common use and re-use of malware by various parties, I agree with you. I'm not sure what I said to give you the impression that I thought it was unique to the RBN or anyone else. My comment about the RBN and Chinese malware should have been more forthcoming. I mean't to say that after the RBN went dark in November, 2007, they moved operations to China for awhile, before going dark a second time. Russian and Eastern European hackers frequently use Chinese resources in their attacks. It's certainly not exclusive to the RBN or anyone else.