The malware contained many of the traditional functions associated with malware, such as key logging. But focusing on these traditional capabilities misses a key point: hijacking local data, such as files and credentials, was the means—but not the end.
Red October contained two interesting aspects:
- Attackers recycled stolen data from victims of the same sector to make their spear phishing emails less suspicious by incorporating some context that would be familiar to the victim.
- Ability to identify and access the important data centres.
Rocra, the name of the malware used in the Red October campaign, is APT by the book. It has specific modules for each of the elements needed for an APT attack: Reconnaissance gathering, spreading, persistence maintenance, data extraction and data exfiltration.
Specifically, it has capabilities to access both unstructured data (files) as well as structured data (database records), or as the Kaspersky Labs Report noted, it would “Collect information about installed software, most notably Oracle DB…”
What do these modules do? Let’s break down some of them:
- The purpose of the “Recon” modules is to help the attacker find the right data.
- The purpose of the “Exfiltration” modules is to deliver the data to the attacker.
The infiltration to the networks and end points of the victims was conducted using vulnerable Excel and Word documents attached to carefully crafted email messages. The attached files recycled stolen data (and therefore context) from other victims of the same sector, making what would otherwise be a suspicious email, a legitimate email. It is reasonable to assume that the identity of the victim was also used to send the email with his positive reputation and appearance.
These targeted social engineering messages (“Spear Phishing”) bypassed “perimeter” security measures.
New software exploits will always be around to help circumvent “perimeter” security measures. DLP solutions were also probably defeated in this attack since Rocra implements a propriety data transmission protocol with the C&C that change both file content and file size.
However, data access patterns are difficult to change. Automation, among other attributes of data access, provides the attacker with speed and volume and cannot be discarded.
Was it possible to detect and prevent the data theft? Yes—had the victims monitored their data more closely rather than just monitoring the network perimeter and endpoints.
Author: Tom Goren Bar, Data Security Researcher at Imperva.