Hunting Red October: Who done it?

Operation Red October — the newly discovered cyber spying operation that has targeted a range of diplomatic facilities, defense companies, and energy firms around the globe — may mark an evolution of the cyber black market.

U.S. government officials have been extremely worried about the rise of hackers for hire and the associated markets for cyber crime and espionage tools for, but Red October may be one of the most sophisticated cyber espionage operations conducted by a private group. Since 2007, Red October has been using a virus called Rocra to spy on computers and smartphones used by the employees of everything from diplomatic missions to research facilities — gathering exactly the type of information that government spy agencies want.

Kaspersky Lab, the IT security firm that announced they had uncovered Red October earlier this week, says that its perpetrators appear to be Russian-speaking, but the lab can’t provide evidence that this is an official Kremlin-backed operation. The lab also can’t eliminate the possibility that private hackers are responsible. That’s right, we may be seeing the rise of private spy agencies, think SPECTRE or whatever Raoul Silva, Javier Bardem’s character in the latest 007 film, calls his organization.

"If this is a private cyber espionage network without close state sponsoring or funding — which seems to be the driving thesis in the Kaspersky report — than that says something about the new terrain for how actors are working in cyberspace," Laura Galante, an intelligence analyst at IT security firm Mandiant, told Killer Apps.

"We’ve moved on from kind of this hacker for hire" who simply perform disruptive, denial of service attacks "and now we’re into what information can we sell that would be incredibly valuable to a government, and private individuals or groups are willing to take on that kind of endeavor which is definitely riskier and requires significant funding to do," said Galante. "It’s almost digital spies for hire."

"I think the big takeaway for most people will be people; this was a sophisticated attack, that’s the type of thing that makes people think, ‘do we now have private espionage networks that can provide really targeted information" about high level targets to a government, said the analyst.

Still, this may well be the work of government spies, notes Galante. She points out that Red October is a sophisticated operation that’s been going on for five years, meaning that it likely had significant funding and its perpetrators were probably comfortable in knowing there’s a low chance they’ll be prosecuted.

"To be able to function and get the information that they’ve supposedly got, you have to be able to operate in an environment immune from imminent prosecution," said Galante. "For something that goes after this type of information, that’s a five year long operation, it’s really suspicious that a completely private group of entrepreneurial hackers would have the funding to do that and have the same kind of attention to go on that long."

It’s also worth noting that Kaspersky researchers found Cold War era Russian espionage slang (who knew that was a thing?) written into Rocra’s code. For example, one of Rocra’s modules designed to spy on smartphones was named, zakladka, possibly after the Russian slang term for a microphone bug embedded in the wall of an embassy, according to Kaspersky.

If the Kremlin is behind Red October, the discovery would give Western analysts a relatively rare window into Russia’s cyber capabilities.

"If the Russian government had close ties or some sort of ability to direct and provide tasking for something like the Red October campaign, that would be the newest point for an understanding of what Russia’s capabilities are," said Galante. "It definitely raises suspicions for the U.S. government about the potential of Russia’s capabilities; whether we believe they’re highly capable or not is the question, but it definitely raises suspicions" about how advanced Russia’s cyber capabilites are.

Still, Galante warned against freaking out about the Russians coming after everyone in cyberspace.

"We don’t know how capable Russia is, we don’t have a lot to point to, and we should look at threats accordingly, seeing demonstrated capabilty and seeing attributed events is something we should look at before we’re too giddy to deem a certain country a major threat.