Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed.
The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.
"It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation."
One of Red October's innovations is a command infrastructure that uses multiple layers of servers and domains that act as proxies to camouflage the core functions in the operation. Mashable reporter Lorenzo Franceschi-Bicchierai quoted Raiu as describing the design as an "onion with multiple skins" with a mothership at its center that collects all the stolen data. Raiu said most of the unplugged domains and disconnected servers seen so far represent first-level proxies. He speculated the operation may go dormant for a while and then come back using different servers or domains, or even different malware altogether.
Raiu said the full extent of the infrastructure likely hasn't been uncovered yet. He estimated the campaign may use several dozen more servers. If correct, the total number would rival the command infrastructure used by Flame, the state-sponsored malware campaign that targeted sensitive networks in Iran.
As Ars reported on Thursday, the Red October malware platform was another innovation of the campaign. It contained 1,000 separate modules in 30 module categories, allowing operators to serve unique combinations of components to targets based on their specific system configurations and end-user profiles. They were created as early as 2007 and as recently as January 8.
reader comments
31