Has a Foreign Intelligence Service Been Targeting Russian Embassies?

Yesterday I posed the theory that the Russian Business Network (RBN) was behind the Red October attacks however in the interest of alternative analysis, I'd like to propose a different theory that also fits the facts contained in Kaspersky's report; that a Foreign Intelligence Service has been targeting Russian and CIS embassies.

Kaspersky's FAQ on ROCRA says that it was brought to their attention by a "partner" who prefers to remain anonymous. Considering that the primary target of ROCRA were Russian embassies and government agencies, that un-named partner was most likely the FSB. After all, Kaspersky Labs does significant business with the Russian government according to Noah Shachtman's Wired profile on Eugene Kaspersky:

One of GREAT’s frequent partners in fighting cybercrime, however, is the FSB. Kaspersky staffers serve as an outsourced, unofficial geek squad to Russia’s security service. They’ve trained FSB agents in digital forensic techniques, and they’re sometimes asked to assist on important cases.

The Red October report listed many embassies in multiple countries as victims but didn't identify whether those were Russian embassies or those of other nation states. Since the malware was looking for Cyrillic characters in documents, it makes sense to assume that the target was Russia's embassies in foreign countries. It would be nice if GREAT would confirm or deny whether that was the case.

Many of ROCRA's command and control servers were registered with Russian registrars. However, Russian law and regulations require the registrant to provide accurate contact information and to confirm that information with an authoritative document (something that we in the U.S. should also require, but don't).  Normally this would be a Russian citizen’s internal passport. So the perpetrator was either using compromised documents (Russian passport numbers and tax IDs have been posted on Runet) to obtain domain names or the websites themselves were compromised bots.

As far as which FIS might be responsible, there's no way to say but there's certainly no lack of suspects. The use of Acid Cryptofiler suggests that it might be a NATO or EU member country. 

Add to Cart View detail

RBN Connection to Kaspersky's Red October Espionage Network

Kaspersky made an astonishing announcement today with its discovery of a sophisticated cyber espionage network (most likely Russian) that has been operating since May 2007 and continues to this day. It has successfully infiltrated embassies, research organizations, military and government agencies, energy facilities (including nuclear power plants) predominantly in the Commonwealth of Independent States, India and countries in Central Asia, among many others.

The developers behind this campaign have built a toolkit similar to Flame but more sophisticated which Kaspersky researchers have named ROCRA (short for Red October). Some of the key functionalities which make this toolkit stand out as unique are:

• The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.

• The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.

• Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.

According to Kaspersky's report, the oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012. The November, 2007 date immediately rang a bell in my memory as the date that the Russian Business Network went dark (November 4, 2007) and temporarily moved operations to China. Then, after a few weeks, they disappeared again.

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a 't'. I ran 13 IPs listed in Kaspersky's report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers
178.63.208.49  matches to 178.63.
188.40.19.247 matches to 188.40.
78.46.173.15 matches to 78.46.
88.198.30.44 matches to 88.198.

Mini-motherships
91.226.31.40 matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.

Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it's going to be one of the most important discoveries of the decade.

Add to Cart View detail