Just last week, the Department of Homeland Security warned about security flaws in Oracle’s Java software — so much so that it advised people avoid using it all together. Now it has been revealed that Java’s vulnerability was used by a cyberattack operation dubbed “Red October,” which has been infiltrating government networks around the world for the last few years.
The research identifying the cyberattack was done by Kaspersky Labs Global Research & Analysis Team and published on the website Securelist. It states that diplomatic, governmental and scientific research organizations in several countries, mostly in Eastern Europe and Central Asia, were the target of attacks beginning in 2007.
Kaspersky said the information being stolen is “of the highest level” and includes geopolitical data that could be used by nation states and has the potential to be “traded […] underground and sold to the highest bidder, which can be of course, anywhere.” Kaspersky also said the information collected was from “high profile victims,” but it is not known how the information was used.
It is unknown who launched the attack, but Kaspersky does point out these two factors:
- The exploits appear to have been created by Chinese hackers.
- The Rocra malware modules have been created by Russian-speaking operatives.
In addition to exploiting vulnerabilities in Java, the reported stated known exploits in Microsoft’s Word and Excel were used by the attackers to access systems as well. The malware was also reported to be able to infiltrate smartphones to obtain information.
“Information harvested from infected networks was reused in later attacks,” the report stated in its main finding’s section. “For example, stolen credentials were compiled in a list and used when the attackers needed to guess secret phrase in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the ‘mothership’ control server.”
According to CNET, Kaspersky believes the cyberattack is still active and is similar in complexity to the Flame malware, which was identified last year.
And in case you’re wondering, the name of the operation — Red October — is in fact named after the novel “The Hunt for Red October.”
Read more about the cyberattack attack in Kaspersky Labs’ report here.