Digital fingerprints on Red October spyware point to Russia ... or do they?
With the malware's digital signatures revealed, updated antivirus software has now made Red October largely ineffective. But at its height the espionage web was extraordinarily complex. Attackers created more than 60 domain names linked to dozens of server computers located mostly in Germany and Russia. That chain of servers served as "proxies" to hide the locations of the mini-mothership servers and, finally, a central "mothership" server.
"The ... infrastructure is actually a chain of servers working as proxies and hiding the location of the true 'mothership' command and control server," the report said.
For complexity, the Red October cyberspy network is on par with recent cyberespionage campaigns involving Flame malware, said Igor Soumenkov, a malware expert with Kaspersky Labs, in an interview with the Monitor's Fred Weir. The Flame spyware was detected in Iran, Sudan, Israel, Syria, Saudi Arabia, Lebanon, and Egypt last year. Flame, however, has been linked by Kaspersky and Symantec to the Stuxnet cyberweapon directed to attack Iran's nuclear centrifuge complex in 2009.
Even so, Red October "can hardly be referred to as state-sponsored. It is unknown whether the collected data was used by attackers themselves, or was sold to other interested parties," Mr. Soumenkov said.
Technical obfuscation crafted by Red October's creators kept Kaspersky researchers from reaching the "mothership" and determining who was behind the malware.
Many other uncertainties remain about Red October, and one question concerns which institutions and embassies were actually targeted. The Kaspersky data show that a foreign embassy in the US was infected. But which one? And do all those infections in Russia imply that Russian government institutions were victimized, or rather foreign institutions operating inside Russia?
Kaspersky officials say their investigation is ongoing and won't release target names, something that may give many clues about the identity of the perpetrator. The company says an anonymous source tipped it off to the spy network's existence.