Hunting Red October: Who done it?

Operation Red October — the newly discovered cyber spying operation that has targeted a range of diplomatic facilities, defense companies, and energy firms around the globe — may mark an evolution of the cyber black market. U.S. government officials have been extremely worried about the rise of hackers for hire and the associated markets for ...

Kaspersky Lab
Kaspersky Lab
Kaspersky Lab

Operation Red October -- the newly discovered cyber spying operation that has targeted a range of diplomatic facilities, defense companies, and energy firms around the globe -- may mark an evolution of the cyber black market.

U.S. government officials have been extremely worried about the rise of hackers for hire and the associated markets for cyber crime and espionage tools for, but Red October may be one of the most sophisticated cyber espionage operations conducted by a private group. Since 2007, Red October has been using a virus called Rocra to spy on computers and smartphones used by the employees of everything from diplomatic missions to research facilities -- gathering exactly the type of information that government spy agencies want.

Kaspersky Lab, the IT security firm that announced they had uncovered Red October earlier this week, says that its perpetrators appear to be Russian-speaking, but the lab can't provide evidence that this is an official Kremlin-backed operation. The lab also can't eliminate the possibility that private hackers are responsible. That's right, we may be seeing the rise of private spy agencies, think SPECTRE or whatever Raoul Silva, Javier Bardem's character in the latest 007 film, calls his organization.

Operation Red October — the newly discovered cyber spying operation that has targeted a range of diplomatic facilities, defense companies, and energy firms around the globe — may mark an evolution of the cyber black market.

U.S. government officials have been extremely worried about the rise of hackers for hire and the associated markets for cyber crime and espionage tools for, but Red October may be one of the most sophisticated cyber espionage operations conducted by a private group. Since 2007, Red October has been using a virus called Rocra to spy on computers and smartphones used by the employees of everything from diplomatic missions to research facilities — gathering exactly the type of information that government spy agencies want.

Kaspersky Lab, the IT security firm that announced they had uncovered Red October earlier this week, says that its perpetrators appear to be Russian-speaking, but the lab can’t provide evidence that this is an official Kremlin-backed operation. The lab also can’t eliminate the possibility that private hackers are responsible. That’s right, we may be seeing the rise of private spy agencies, think SPECTRE or whatever Raoul Silva, Javier Bardem’s character in the latest 007 film, calls his organization.

"If this is a private cyber espionage network without close state sponsoring or funding — which seems to be the driving thesis in the Kaspersky report — than that says something about the new terrain for how actors are working in cyberspace," Laura Galante, an intelligence analyst at IT security firm Mandiant, told Killer Apps.

"We’ve moved on from kind of this hacker for hire" who simply perform disruptive, denial of service attacks "and now we’re into what information can we sell that would be incredibly valuable to a government, and private individuals or groups are willing to take on that kind of endeavor which is definitely riskier and requires significant funding to do," said Galante. "It’s almost digital spies for hire."

"I think the big takeaway for most people will be people; this was a sophisticated attack, that’s the type of thing that makes people think, ‘do we now have private espionage networks that can provide really targeted information" about high level targets to a government, said the analyst.

Still, this may well be the work of government spies, notes Galante. She points out that Red October is a sophisticated operation that’s been going on for five years, meaning that it likely had significant funding and its perpetrators were probably comfortable in knowing there’s a low chance they’ll be prosecuted.

"To be able to function and get the information that they’ve supposedly got, you have to be able to operate in an environment immune from imminent prosecution," said Galante. "For something that goes after this type of information, that’s a five year long operation, it’s really suspicious that a completely private group of entrepreneurial hackers would have the funding to do that and have the same kind of attention to go on that long."

It’s also worth noting that Kaspersky researchers found Cold War era Russian espionage slang (who knew that was a thing?) written into Rocra’s code. For example, one of Rocra’s modules designed to spy on smartphones was named, zakladka, possibly after the Russian slang term for a microphone bug embedded in the wall of an embassy, according to Kaspersky.

If the Kremlin is behind Red October, the discovery would give Western analysts a relatively rare window into Russia’s cyber capabilities.

"If the Russian government had close ties or some sort of ability to direct and provide tasking for something like the Red October campaign, that would be the newest point for an understanding of what Russia’s capabilities are," said Galante. "It definitely raises suspicions for the U.S. government about the potential of Russia’s capabilities; whether we believe they’re highly capable or not is the question, but it definitely raises suspicions" about how advanced Russia’s cyber capabilites are.

Still, Galante warned against freaking out about the Russians coming after everyone in cyberspace.

"We don’t know how capable Russia is, we don’t have a lot to point to, and we should look at threats accordingly, seeing demonstrated capabilty and seeing attributed events is something we should look at before we’re too giddy to deem a certain country a major threat.

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.
A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.

Lessons for the Next War

Twelve experts weigh in on how to prevent, deter, and—if necessary—fight the next conflict.

An illustration showing a torn Russian flag and Russian President Vladimir Putin.
An illustration showing a torn Russian flag and Russian President Vladimir Putin.

It’s High Time to Prepare for Russia’s Collapse

Not planning for the possibility of disintegration betrays a dangerous lack of imagination.

An unexploded tail section of a cluster bomb is seen in Ukraine.
An unexploded tail section of a cluster bomb is seen in Ukraine.

Turkey Is Sending Cold War-Era Cluster Bombs to Ukraine

The artillery-fired cluster munitions could be lethal to Russian troops—and Ukrainian civilians.

A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol  January 8, 2009 in Washington.
A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol January 8, 2009 in Washington.

Congrats, You’re a Member of Congress. Now Listen Up.

Some brief foreign-policy advice for the newest members of the U.S. legislature.