In 2013, the Red October Attack was discovered by Kaspersky which was successful sine 2007. Their goal was to gather sensitive files from the compromised organisations like geopolitical intelligence, credentials of high profile and significant persons, and the data from personal mobile devices and network equipment. Following is the basic description of Taxonomy of Red October Malware:
Standalone or host-program
The host program malware is when a malware requires a “host program” to grow and spread in the target machine or network. In the case of Red October, the Microsoft or Excel files were used as a host program, malware was attached to these hosts and then spread into infected machine when these documents were downloaded. Whereas, standalone malware means that it does not need any host program to infect the target’s system. Since Red October malware used program like a excel and word to attach itself to , therefore it is a Host-Program Malware.
Persistent or transient
The main difference between Persistent and Transient is: In Transient malware, if the victim reboots its machine, then the malware is removed. In Persistent malware, even if the victim reboots the machine, it still does not remove the malware from the machine. This cyber-attack is installed on the hard drive and then able to collect information from the drives and then send it to command-and-control centre. Moreover, with the help of additional modules it is also able to gather data from connected drives and other peripheral devices as well. Most importantly, it is not removed if the victim reboots their system. Therefore, Red October malware comes under the Persistent cyber-attack category.
Layers of system stack
The Red October Attack is a User applications Attack, because the malicious code attaches itself to either Microsoft word or excel files (depending on which one is more likely to be opened by the user) and is then send to the victim by an email.
The Red October attack is auto spreading like an oil slick from Asia to United States, mostly against the institutional structures, governments, embassies, research centres and academics located mostly in East Europe and Central Asia.
Any cyber attack which is able to update itself and extend its features is known as Dynamically updatable. The Red October cyber-attack is able to update itself dynamically. The attackers created a multi-functional kit in it which had the ability to quickly extend the features to gather intelligence. It was resistant to C&C server takeover and allowed the attack to recover access to infected machines by employing alternative communication channels.
Any virus or malware that is in communication with the hacker after the initialisation is considered as a coordinated attack. Yes, ROCRA malware was a coordinated attack. After the initial initialisation, the attackers were able to first look around the network and then the required modules were installed on the necessary machines to gather intelligence and data. These modules were sent by the C&C server which proves that this was a coordinated attack.
We researched and analysed the Red October Attack in depth. Such attacks could be avoided by taking proper mitigation and prevention measures. Such measures include: updating and upgrading software immediately, defining privileges and accounts, setting up multi factor authentication, enforcing signed software execution policies, actively managing systems and configuration, continuously hunting for network intrusion, leverage the modern hardware security features and segregating networks using application-aware defences. It is also extremely imperative to create a system recovery plan and execute it properly if the system security is breached. We found that employing some of these strategies are time consuming on regular basis and expensive as well. But when cost, time and security for these techniques were compared, it was found that it is worth spending time, effort and money to prevent a devastating attack like Red October.