The Hunt for Red October: Virus Hunters Try to Catch Diplomatic Time Bomb

The three virus hunters, part of a special unit at Kaspersky, a Russian computer firm, are hunting for "Red October." It's the moniker they have given to a newly discovered spy program, inspired by the almost noiseless submarine in the eponymous novel by Tom Clancy.

The virus has infected at least 350 government ministries, embassies and research facilities worldwide, especially in the former Soviet republics. The attackers apparently had "a special interest in geopolitically significant information," says virus analyst Kamlyuk.

The Russian Embassy in the United States was apparently among the targets. Tens of thousands of documents, probably including classified reports to the foreign ministry in Moscow, reportedly fell into the hands of cyber spies. It's possible that a total of several terabytes of data were stolen, the contents of which could very well be as explosive as the cables made public by Wikileaks.

The digital submarine has been lurking for five years, fishing for classified information and it's likely that the data theft still hasn't been detected by some of the victims.

"We have never before seen an attack done with such surgical precision," says Kamlyuk, who is now urging his colleagues to speed up their efforts. Since Kaspersky went public with the discovery of the spy network, the attacker's control servers are gradually being taken offline. "The enemy is destroying the evidence," says Kamlyuk.

Deepening Intrigue

Red October is part of a group of new spyware programs that are expensive and complex, and yet promise hardly any financial gain. They are designed to steal political information, not bank data. Government intelligence agencies are believed to be behind the programs.

Company founder Eugene Kaspersky, a graduate of the KGB's internal university, is increasingly specializing in this new generation of government Trojan horses. His company analyzed the Stuxnet virus in 2010. The computer worm had infected computers in Iran, dealing a major setback to the Islamist regime's nuclear program. Last year, the Russians deciphered "Flame" and "Gauss," two destructive computer worms that were mainly active in the Middle East. Like Stuxnet there has been speculation that the United States or Israeli governments commissioned the programs.

Red October, however, bears a different handwriting. Russian slang keeps appearing in its code, including words like "zakladka" (bug) and "proga" (program). Sergei Nikitin of the Moscow-based security firm Group-IB believes that many authors were at work here, and that they were not in contact with one another. The programming style of the individual modules, says Nikitin, is inconsistent, ranging from sophisticated to roughly put together. He believes that the program was probably commissioned by "an intelligence service that hired the programmers through underground forums in the Russian hacker community."

There are many independent cyber warriors willing to sell their services, especially in Russia. While the country offers good technical training opportunities, the pay is often miserable in government research institutes, leading some specialists to seek secondary income sources. The Russian Interior Ministry estimates that Russians make up about 30 percent of individuals involved in global cybercrime.

The backers of Red October, on the other hand, could be in any other country. China came under suspicion at first, because no victims had been discovered there yet. In addition, Chinese hackers had previously used a few of the program's infection paths to spy on the computers of Tibetan activists. But it could be a false trail, perhaps even put there deliberately.

Targeted Trawling

It is clear, however, that Red October was inserted in a targeted manner into the computers of a few selected recipients, so as to attract little attention, using a method called "spear phishing." The messages in which the program was hiding were tailored to the recipients. In one case, for example, a recipient received a bogus email with the words "diplomatic car for sale" in the subject line.

The program wastes little energy trying to infiltrate external computers. Its ingenuity lies in so-called "exfiltration," or the discreet removal of the spoils.

"Red October is fantastic," raves Costin Raiu, barely disguising his admiration. "The attackers wrote about 1,000 different modules to steal data." Raiu, a man in his mid-30s with a roundish face, runs Kaspersky's research team, with 34 employees scattered around the world, from his office in the Romanian capital Bucharest.

An informant passed him a virus in October 2012. The file seemed trivial. Raiu decided to observe the intruder.

When he intentionally infected special laboratory computers, the virus began to take effect. The software activated itself, mapped the entire network from within, established a directory of all connected devices, and then stored and encrypted the information. The orderly intruder also assigned a victim number to each infected computer.

After its investigation is done, the program contacts a number of control computers on the Internet. Depending on which hardware the virus discovers, it downloads the applicable break-in tools: to fish for passwords, addresses, calendars, text, tables and call lists. One module is used to read information stored on iPhones, while another one copies the content of USB flash drives, even when users believe that they have deleted the contents.

Pulling Apart the Layers

The virus also searches specifically for classified documents that are secured with encryption software called "Acid Cryptofiler," which is also used by the European Union and NATO. To decrypt these files, it records keyboard entries using a so-called "keylogger."

Then it compresses the data and transmits it in neat little packages to a selection of about 60 command servers, some of which are in Germany. These servers, in turn, communicate with "mother ships," a system of switching computers (proxies) that forward the data to the hidden culprits. "The whole thing is structured like an onion peel," says Raiu.

Raiu set a trap to determine who was targeted in the attack. Some web addresses that the virus contacted did not respond. Raiu simply registered these out-of-date Internet addresses to his name and diverted the data traffic to his laboratory. The method is called a "sinkhole," because it enables the user to look deeply into a hidden tunnel system.

Within a few weeks, he had collected 55,000 inquiries from computers contaminated with the virus. "We were only able to access six of 60 command servers," says Raiu. "In other words, we could see only about 10 percent of the network." It's possible that the number of victims was much higher.

Raiu is currently observing the command servers gradually being shut down. But this only means that Red October is hibernating. Secret plug-ins are left behind that can be reactivated at any time, despite the virus supposedly having been deleted, warns Igor Kotenko, an IT professor at the University of Saint Petersburg.

Virus Protection

The anti-virus industry is now left with egg on its face. How could the worm have remained undetected for five years?

Andreas Marx, managing director of AV-Test in the eastern German city of Magdeburg, explains the problem: "Red October only infected individual computers in a very targeted manner, while anti-virus software usually focuses on widespread worms."

The torrent of dangerous software is growing immensely, says Marx. "An estimated 50 million variants are being added this year alone." That comes to two per second. Marx advises users to also use an onion-like protection system, consisting of automatic updates of all programs, virus protection, firewalls and a "white list" of trustworthy computers.

"Anti-virus programs can lead people to believe that they are safe when they are not," says Fred Cohen, a security advisor on the editorial board of the Journal in Computer Virology. "Many users download all kinds of things, because they believe that they are protected."

Cohen is one of the pioneers in the community. He coined the term "computer virus," after he had released computer worms on a test basis at the University of Southern California. That was in 1983.

Thirty years of experience have taught Cohen that for every digital protective shield, there is a virus that can circumvent it. That, he says, is why he places most of his trust in the virus protection programs between his ears: skepticism and caution.