Red October Cyber Attack

CHAPTER 1

INTRODUCTION
"Red October," a cyber-attack that has been targeting government institutions since 2007, has
been discovered by Russian researchers.

Russian cyber-security firm Kaspersky and other cyber emergency response teams have been on
a hunt to track down the malware, which has been attacking diplomatic, governmental and
scientific research organizations though Eastern Europe, Central Asia, and even North America.

Thirty-five of the infected computers were found in Russia. Kazakhstan and Azerbaijan also had
a fair number of attacks – 21 and 15, respectively — and infected machines were also found in
India, Iran, the US, Italy, and Greece.

Kaspersky Lab said that digital clues hinted that those behind "Red October" are Russian-speakers,
but gave few details and refrained from naming specific organizations that were targeted.

"We initiated our checks and quite quickly understood that is this a massive cyber-attack
campaign". There were a quite limited set of targets that were affected — they were carefully
selected. They seem to be related to some high-profile organizations.

Kurt Baumgartner, a senior security researcher at Kaspersky, described the campaign as a

“sophisticated and very patient multiyear effort” to extract confidential geopolitical information
from various sources, according to the New York Times.

The virus has been compared to Flame, another cyberattack that spied on Iranian computers, and
includes a special module for recovering deleted files from USB sticks, which Kamluck said has
never before been seen in a malware program.

It also hides on a computer if it is found, and is able to reactivate with a mere e-mail.

The virus got its name from the Russian submarine featured in Tom Clancy's novel "The Hunt For
Red October."

Dept. Of CSE 1
 Red October Cyber Attack

CHAPTER 2

SCOPE
Red October was a cyberespionage malware program discovered in October 2012 and
uncovered in January 2013 by Russian firm Kaspersky Lab. The malware was reportedly
operating worldwide for up to five years prior to discovery, transmitting information ranging
from diplomatic secrets to personal information, including from mobile devices. The primary
vectors used to install the malware were emails containing attached documents that exploited
vulnerabilities in Microsoft Word and Excel. Later, a webpage was found that exploited a known
vulnerability in the Java browser plugin.

Red October was termed an advanced cyberespionage campaign intended to target diplomatic,
governmental and scientific research organizations worldwide.

After being revealed, domain registrars and hosting companies shut down as many as 60
domains, used by the virus creators to receive information. The attackers, themselves, shut down
their end of the operation, as well.

Dept. Of CSE 2
 Red October Cyber Attack

CHAPTER 3

BACKGROUND
Red October is a malware attack.

Initially the malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and,
probably PDF documents) which were rigged with exploit code for known security vulnerabilities
in the various applications.

Intended targets received personalised correspondence based on gathered intelligence on

individual people (an example is on the right).

These attacks comprised of two major stages:

Initial infection: Right after the victim opens the malicious document on a vulnerable system, the
embedded malicious code initiates the setup of the main Red October software on the machine.

This handles further communication with the master servers run by the hackers, and can survive
the computer being restarted.

Spying: Next, the system receives a number of additional spy modules from the hacker's server,
including modules to handle infection of smartphones - the team said iPhones, Windows phones
and Nokia handsets were seen on the network.

The specific modules are customised for each mobile depending on the infomration the hackers
wanted.

The main purpose of the spying modules is to steal information.

All gathered information is packed, encrypted and only then transferred to the Red October
command servers.

Other modules were designed to target files encrypted using a system known as Cryptofiler - an
encryption standard that used to be in widespread use by intelligence agencies but is now less
common

Dept. Of CSE 3
 Red October Cyber Attack

The campaign, identified as 'Rocra', short for 'Red October', is currently still active with data being
sent to multiple command-and-control servers, through a configuration which rivals in complexity
the infrastructure of the Flame malware.

Kaspersky's research indicated there were 55,000 connection targets within 250 different IP
addresses.

Most infection connections were found coming from Switzerland, followed by Kazakhstan and
Greece.

Dept. Of CSE 4
 Red October Cyber Attack

CHAPTER 4

INVESTIGATION
Following a series of attacks against computer networks targeting international diplomatic service
agencies, experts at Kaspersky Lab initiated an investigation in October last year. What they have
unearthed looks like a massive large scale cyber-espionage network campaign targeting
diplomatic, governmental and scientific research organisations in several countries for at least five
years. Termed as Operation Red October, or Rocrat, the Kaspersky investigation reveals that it’s
still active as of January 2013.

The investigation reveals that the attackers have been active since at least 2007 and have been
focusing on diplomatic and governmental agencies of various countries around the world, in
addition to research institutions, energy and nuclear groups, and trade and aerospace targets. The
attackers have devised their own malware identified as “Rocra” that comprises of malicious
extensions, info-stealing modules and backdoor Trojans.

The countries infected

Dept. Of CSE 5
 Red October Cyber Attack

Explaining the modus-operandi, it states that to infect the systems, the attackers sent a targeted
spear-phishing email to a victim that included a customised Trojan dropper. In order to install the
malware and infect the system, the malicious email included exploits that were rigged for security
vulnerabilities inside Microsoft Office and Microsoft Excel. The exploits from the documents used
in the spear-phishing emails were created by other attackers and employed during different cyber
attacks including Tibetan activists as well as military and energy sector targets in Asia. The only
thing that was changed in the document used by Rocra was the embedded executable, which the
attackers replaced it with their own code.

The investigation reveals that the attackers often used information exfiltrated from infected
networks as a way to gain entry into additional systems. For example, stolen credentials were
compiled into a list and used when the attackers needed to guess passwords or phrases to gain
access to additional systems. To control the network of infected machines, the attackers created
more than 60 domain names and several server hosting locations in different countries, with the
majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control
(C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide
the location of the ‘mothership’ control server.

What’s also a cause of concern is the fact that in addition to targeting traditional workstations, the
malware can siphon data even from mobile devices (iPhone, Nokia and Windows mobile). It stated
further that the malware is also capable of stealing configuration information from enterprise
network such as routers and switches (Cisco), as well as deleted files from removable disk drives.
The countries that have been found to be infected are mostly distributed in Eastern Europe, with
the highest numbers of infections detected in Russia followed by Kazakhstan, while 14 infections
were found in India. All of them have occurred in top locations such as government networks and
diplomatic institutions. The main purpose of the operation appears to be the gathering of classified
information and geopolitical intelligence.

While the investigators haven’t been able to identify the attackers or identify the location, they
point to tow important factors, firstly the exploits appear to have been created by Chinese hackers
and secondly, the Rocra malware modules have been created by Russian-speaking operatives.
There is, however, currently no evidence linking this with a nation-state sponsored attack.

Dept. Of CSE 6
 Red October Cyber Attack

CHAPTER 5

CYBER LAWS
Cyber crimes can involve criminal activities that are traditional in nature, such as theft, fraud,
forgery, defamation and mischief, all of which are subject to the Indian Penal Code. The abuse
of computers has also given birth to a gamut of new age crimes that are addressed by the
Information Technology Act, 2000.

We can categorize Cyber crimes in two ways:

1. Target (example, Hacking, Virus Attack)

2. Weapon (example, cyber terrorism, IPR violations, pornography)

Cyber law (also referred to as cyberlaw) is a term used to describe the legal issues related to
use of communications technology, particularly "cyberspace", i.e. the Internet. It is less a
distinct field of law in the way that property or contract are as it is an intersection of many legal
fields, including intellectual property, privacy, freedom of expression, and jurisdiction. In
essence, cyber law is an attempt to integrate the challenges presented by human activity on the
Internet with legacy system of laws applicable to the physical world.

General Laws

1) Penalty and compensation for damage computer, computer system etc. If any person,
without permission of the owner or any other person who is in charge of a computer, computer
system or computer network:

a) Accesses or secures access to such computer. Computer system or computer network

or computer resource.
b) Downloads, copies or extracts any data, computer database or information from such
computer, computer system or computer network including information data held or
stored in any removable storage medium.
c) Introduces or causes to be introduced any computer contaminant or computer virus
into any computer, computer system or computer network.

Dept. Of CSE 7
 Red October Cyber Attack

d) Damages or cause to be damage to any computer, computer system or computer

network, data, computer database or any other programmes residing in such computer,
computer system or computer network.
e) Disrupts or cause of disruption of any computer, computer system or computer
network.
f) Denies or causes the denial of access to any person authorized to access any computer,
computer system or computer network by any means.
g) Provides any assistance to any computer to facilitate access to a computer, computer
system or computer network in contravention of the provision of the Act, rules or
regulations made there under.
h) Charges the service availed of by a person to the account of any other person by
tampering or manipulating with or manipulating any computer, computer system or
computer network.
i) Destroy, delete or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means.
j) Steals, conceals, destroys or alters or causes any person to steel, conceal, destroy or
alter any computer source code used for computer resource with an intention to cause
damage, he shall be liable to pay damage by way of compensation to the person so
affected.

2) Compensation for failure to protect data[Sec. 43-A]: Where a body corporate possessing,
dealing or handling any sensitive personal data or information in a computer resource which it
owns, control or operates, is negligent in implementing and maintaining reasonable security
practices and produces and thereby causes wrongful loss and wrongful gain to any person,
such body corporate shall be liable to pay damages by way of compensation to the person so
affected.

Dept. Of CSE 8
 Red October Cyber Attack

3) Penalty to failure to furnish information, return, etc [Sec. 44]: If any person is required to,

a) furnish any document, return or report to the controller or the Certifying Authority, fails
to furnish the same, he shall be liable to penalty not exceeding rupees one lakh and fifty
thousand for each such failure.

b) maintain books of account or records, fails to maintain the same, he shall be a liable to a
penalty not exceeding rupees ten thousand for every day during which the failure
continues.

4) Penalty for securing access to a protected system[Sec 70]: The appropriate government may
declare that any computer resource which directly or indirectly affects the facility of critical
Information Infrastructure to be protected system and may , by in order in writing , authorize
the person who are to access protected notified system. Any person who secure access or
attempts to secure to such a protected system unauthorisely shall be punished with
imprisonment of a term which may extend to 10 years and shall also be liable to fine. The
central Government has prescribed the Information Technology (Security Procedure) Rules,
2004.

5) Tampering with computer source documents [sec.65]: Whoever knowingly or intentionally

conceals, destroys or alters any computer source code used for computer, computer
programmes, or computer system is required to be maintained by law, shall be punishable with
imprisonment up to three years or with fine which may extend up to rupees two lacs or with
both.

Punishment for violation of privacy

Whoever intentionally or knowingly captures, publishes or transmits the image of a private
area of any person without his or her consent, under circumstances violating the privacy of
that person shall be punished with imprisonment of at least three years or with a fine no
exceeding Rs.2 lakhs or with both.

Dept. Of CSE 9
 Red October Cyber Attack

Punishment for Cyber Terrorism An offence of cyber terrorism is

committed when someone:

a) With intent to threaten the unity, integrity, security or sovereignty of India or to strike terror
in the people by:
1. Denying or cause the denial of access to any person authorised to access computer
resource.
2. Attempting to penetrate or access a computer resource without authorisation or
exceeding authorised access.
b) Knowingly or intentionally penetrates or access a computer resource without authorisation
or exceeding authorised access and by means of such conduct obtains access to
information, data or computer database that is restricted for reasons for the security of
the State of foreign relations; or any restricted information, data or computer database,
with reasons to believe that such information, data or computer database so obtained may
be used to cause injury to the interests of the sovereignty & integrity of India. Whoever
commits cyber terrorism shall be punishable with imprisonment which may extend to
imprisonment for life.

ADVANTAGES:

From the perspective of e-commerce in India, the IT Act 2000 and its provisions contain
many positive aspects. Firstly, the implications of these provisions for the e-businesses would
be that email would now be a valid and legal form of communication in our country that can
be duly produced and approved in a court of law.
* Companies shall now be able to carry out electronic commerce using the legal
infrastructure provided by the Act.
* Digital signatures have been given legal validity and sanction in the Act.
* The Act throws open the doors for the entry of corporate companies in the business of
being Certifying Authorities for issuing Digital Signatures Certificates.
* The Act now allows Government to issue notification on the web thus heralding e-
governance.

Dept. Of CSE 10
 Red October Cyber Attack

* The Act enables the companies to file any form, application or any other document with
any office, authority, body or agency owned or controlled by the appropriate Government in
electronic form by means of such electronic form as may be prescribed by the appropriate
Government.
* The IT Act also addresses the important issues of security, which are so critical to the
success of electronic transactions. The Act has given a legal definition to the concept of
secure digital signatures that would be required to have been passed through a system of a
security procedure, as stipulated by the Government at a later date.
* Under the IT Act, 2000, it shall now be possible for corporates to have a statutory remedy
in case if anyone breaks into their computer systems or network and cause loss.

Dept. Of CSE 11
 Red October Cyber Attack

CHAPTER – 6

CONCLUSION

The purpose of study in this paper is to analyze and to make aware of what is Red October
Cyber Attack, its effect and some of the preventives measures. We come to the conclusion that
this Attack in 2012 wars the most terrific attack.
The most important source of Red October was via E-mail phishing and maliciously invading
other PC programs and sending informations.
So, it’s essential for computer users to keep back of data regularly.

Dept. Of CSE 12
 Red October Cyber Attack

CHAPTER – 7

REFERENCES

[1] http://www.bbc.com/news/technology-21013087

[2]http://www.kaspersky.com/about/news/virus/2013/
Kaspersky_Lab_Identifies_Operation_Red_October_an_Advanced_Cyber_Espio
nage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwi de

[3] https://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back- in-style/

[4]http://appleinsider.com/articles/14/12/11/massive-sophisticated-inception---

[5]https://threatpost.com/inside-1000-red-october-cyberespionage-malware-modules-
011713/77419

[6] http://www.tomshardware.com/news/red-october-malware-cloud-atlas,28220.html

[7] http://www.dailymail.co.uk/sciencetech/article-2263322/Operation-Red-October- revealed-

The-astonishing-hacker-attack-infiltrated-55-000-high-level-government- computers.html

Dept. Of CSE 13
 Red October Cyber Attack

CHAPTER – 8
SLIDES

Dept. Of CSE 14
 Red October Cyber Attack

Dept. Of CSE 15
 Red October Cyber Attack

Dept. Of CSE 16
 Red October Cyber Attack

Dept. Of CSE 17
 Red October Cyber Attack

Dept. Of CSE 18
 Red October Cyber Attack

Dept. Of CSE 19
 Red October Cyber Attack

Dept. Of CSE 20
 Red October Cyber Attack

Dept. Of CSE 21
 Red October Cyber Attack

Dept. Of CSE 22
 Red October Cyber Attack

Dept. Of CSE 23
 Red October Cyber Attack

Dept. Of CSE 24
 Ransomware Attack

Dept. of CSE Page 25