Rediff.com« Back to articlePrint this article

Cyberwar to turn more ruthless in 2013

January 15, 2013 14:51 IST

The cold war in the cyberspace in 2012 is history. If the latest report by Kaspersky Labs is to be believed, in 2013 the war's expected to get more aggressive.

A testimony to the same is the building of thorough cyber warfare programmes by 12 of the world's military powers.

Last year, in India, hackers resorted to defacing websites and indulged in cyber thefts. However, intelligence agencies are now predicting that army and government establishments are at major risk from cyber attacks this year.

The Kaspersky Labs report states that since the past five years a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

The targets of this campaign have been found at Eastern Europe, former USSR members and countries in Central Asia, Western Europe and North America.

The campaign, identified as 'Rocra' (short for 'Red October') is currently still active with data being sent to multiple command-and-control servers

According to the report, Red October attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world.

Information harvested from infected networks is re-used in later attacks.

For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries.

Beside traditional attack targets (work stations), the system is capable of stealing data from mobile devices, such as smart phones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (cisco); hijacking files from removable disk drives (including already deleted files via a custom file.

The exploits from the documents used in spear phishing were created by other attackers and employed during different cyber attacks against Tibetan activists as well as military and energy sector targets in Asia. The only thing that was changed is the executable which was embedded in the document; the attackers replaced it with their own code.

The United States has woken up to this threat and the Obama administration had even said that an enemy nation or a terrorist cell could target critical elements such as banks, stock exchanges, water systems and nuclear power plants.

How 'Red October' boots and infects

The Rocra framework is designed for executing "tasks" that are provided by its command-and-control servers.

Once a USB drive is connected, it searches and extracts files by mask/format, including deleted files. Deleted files are restored using a built-in file system parser.

It then waits for an iPhone or a Nokia cell phone to be connected. Once connected, it retrieves information about the phone -- its contact list, call history, calendar, SMS messages and browsing history.

A Windows Mobile phone could be infected with a mobile version of the Rocra main component.

It will retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously-obtained credentials.

Over 1000 modules belonging to 30 different categories have been created between 2007 with the most recent being compiled on January 8, 2013.

Vicky Nanjappa