Cyber Security

Red October Attack Analysis and Ethical Frameworks

Red October Attack analysis and ethical frameworks
Red October Attack analysis and ethical frameworks

Red October Cyber Attack is a Malware which is sometimes also referred to as ROCRA. In 2013, Kaspersky Labs found this malware and stopped its spread, but till then the attack was successful. Moreover, it was reported by Kaspersky that this virus started spreading in 2007.Following is the CIA Triad analysis, laws effected and ethical frameworks of Red October Attack:

CIA Triad

The CIA stands for Confidentiality, Integrity and Availability. It is a popular vulnerable model for developing security policies. It is used in identifying problems and devise their solutions in the arena of information security.


Confidentiality means the protection of sensitive and private information from unauthorised access.  It refers to defining and enforcing certain access levels of information for various groups of information. [13] We know that Red October cyber attack had 2 specific kinds of modules which targeted stealing passwords and Emails. The password modules were used to steal outlook account information, windows account hashes, account information and outlook attachments. Whereas the email module was used to steal email data using local MAPI and POP3 server. This proves that the sensitive and private information was accessed during the cyber attack. Other modules like Exfiltration, mobile and USB drive were also responsible to steal sensitive information. Therefore, we can conclude that Confidentiality of the Networks was definitely affected during ROCRA cyber attack. Moreover, the attackers reused the stolen credentials to gain access in later attacks by guessing similar passwords and network credentials in other infected machines.


The “I” in the CIA refers to Data Integrity. It is a significant component of CIA Triad and its purpose is to protect data from deletion or modification by any unauthorised party.

This also ensures that any damage made to the data can be reversed.  In Red October Attack, various modules infected the integrity of the networks, one of them is Scheduler module which is a persistent kind of attack. It was responsible to run various tasks from specs folders on the infected machine without the owner’s permission or knowledge. Since these tasks could be anything from modifying data to deleting the data. Therefore, the integrity of the system was infected.


The “A” in CIA refers to availability of your actual data. In Red October, since the passwords were stolen but not changed to avoid detection, therefore we can say that this kind of module did not affect the availability of data.

The purpose of Red October cyber attack was stealing information only while staying undetected. That is why, there was no module which could restrict user to access the infected machine and its data.

Laws affected by the Red October Attack / Data Breach

The Red October broke many laws; few of them are from UK (1990) Computer Misuse Act:

  • Unauthorised access to computer material where the attacker did reconnaissance about the target and exploited their weakness.
  • Unauthorised access with intent of further offenses including damage to privacy and security.
  • Unauthorised modification of computer material where the attacker installed malware and started communication with C&C servers.

Ethical frameworks

There are three ethical frameworks which are applied on Red October Attack as following:

Virtue ethics

Virtue ethics is based on person rather than their actions. It focuses on moral character of the person carrying out an action rather than the ethical duties or rules. [15] Following are the character traits both positive and negative of an attacker. [16]

From Virtuous Ethics point of view, an attacker should have thought whether he / she wants to be the person who can steal personal and sensitive files from government agencies and other private organisations. Apparently, the hacker decided to be non-virtuous person and went on with the ROCRA attack. In other words, it is not virtuous for an attacker to send a phishing email and trap someone into installing malware in their system.

The target should think before opening a phishing email: whether the sender is trustworthy enough for me to open that email? Is the moral character of sender virtuous? If the target did not open a phishing email, then there would be no ROCRA attack on that system.

Deontological ethics

The deontological school of thought focuses on the actions and not the consequences.

The attacker did enough research and knew about the target’s weakness. For example, the attacker would know that target liked vintage cars. He would then specifically create a “Vintage Cars on Sale” email to attract the target. According to Deontological ethics, the attacker should not have researched and exploited target’s weaknesses because it is wrong to exploit any one’s weaknesses.

The attacker should have thought is it morally correct for me to exploit a weakness of a person? Is it ok for me to trap that person knowing well that my actions will harm him? Will my action destroy the target’s privacy?

From Target’s point of view, he/she should not have opened an email and downloaded the attachment just because it is tempting.

Utilitarian ethics

The Utilitarian school of thought use the principle of the “greatest good” to determine what their moral obligations are in any given situation.

The attacker options were to either use the attack to share the information with the world for the sake of transparency or greater good, or to leave the privacy and security of person intact and avoid doing anything wrong morally. From an attacker perspective, he must have thought that critical information should be shared by government agencies with public. Therefore, following the utilitarian ethics, the attacker did not care about the privacy and security of government agencies and officials and performed the ROCRA cyber attack for greater good.

Since the utilitarian ethics focus on greater good, it would advise the client to not install any software with known vulnerabilities (Excel and Word) at all. By not installing software with known vulnerabilities, the client would sacrifice using that software for the greater good which is their security and privacy.

What is your reaction?

In Love
Not Sure
Muntaha Saleem
She is an Editor-in-Chief . She is a Telecom engineer and a blogger. She loves to blog about latest technology news and products.

You may also like

Leave a reply