{
	"id": "84557304-2352-4437-984f-9c93fed4494d",
	"created_at": "2026-04-06T00:19:01.127236Z",
	"updated_at": "2026-04-10T13:11:57.596051Z",
	"deleted_at": null,
	"sha1_hash": "6855a33eedc17d66c9ba54db4bdfaef68505d8a2",
	"title": "“Red October” Diplomatic Cyber Attacks Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2566870,
	"plain_text": "“Red October” Diplomatic Cyber Attacks Investigation\r\nBy GReAT\r\nPublished: 2013-01-14 · Archived: 2026-04-05 20:37:40 UTC\r\nContents\r\nExecutive Summary\r\nAnatomy of the attack\r\nGeneral description\r\nStep-by-step description (1st stage)\r\nStep-by-step description (2nd stage)\r\nTimeline\r\nTargets\r\nKSN statistics\r\nSinkhole statistics\r\nKSN + sinkhole data\r\nС\u0026C information\r\nExecutive Summary\r\nIn October 2012, Kaspersky Lab’s Global Research \u0026 Analysis Team initiated a new threat research after a series\r\nof attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after\r\nfamous novel “The Hunt For The Red October”).\r\nThis report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental\r\nand scientific research organizations in different countries, mostly related to the region of Eastern Europe, former\r\nUSSR members and countries in Central Asia.\r\nThe main objective of the attackers was to gather intelligence from the compromised organizations, which\r\nincluded computer systems, personal mobile devices and network equipment.\r\nThe earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the\r\ntime of writing (January 2013).\r\nBesides that, registration data used for the purchase of several Command \u0026 Control (C\u0026C) servers and unique\r\nmalware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.\r\nMain Findings\r\nAdvanced Cyber-espionage Network: The attackers have been active for at least several years, focusing on\r\ndiplomatic and governmental agencies of various countries across the world.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 1 of 22\n\nInformation harvested from infected networks was reused in later attacks. For example, stolen credentials were\r\ncompiled in a list and used when the attackers needed to guess secret phrase in other locations. To control the\r\nnetwork of infected machines, the attackers created more than 60 domain names and several server hosting\r\nlocations in different countries (mainly Germany and Russia). The C\u0026C infrastructure is actually a chain of\r\nservers working as proxies and hiding the location of the ‘mothership’ control server.\r\nUnique architecture: The attackers created a multi-functional kit which has a capability of quick extension of the\r\nfeatures that gather intelligence. The system is resistant to C\u0026C server takeover and allows the attack to recover\r\naccess to infected machines using alternative communication channels.\r\nBroad variety of targets: Beside traditional attack targets (workstations), the system is capable of stealing data\r\nfrom mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile), enterprise network equipment\r\n(Cisco), removable disk drives (including already deleted files via a custom file recovery procedure).\r\nImportation of exploits: The samples we managed to find were using exploit code for vulnerabilities in Microsoft\r\nWord and Microsoft Excel that were created by other attackers and employed during different cyber attacks. The\r\nattackers left the imported exploit code untouched, perhaps to harden the identification process.\r\nAttacker identification: Basing on registration data of C\u0026C servers and numerous artifacts left in executables of\r\nthe malware, we strongly believe that the attackers have Russian-speaking origins. Current attackers and\r\nexecutables developed by them have been unknown until recently, they have never related to any other targeted\r\ncyberattacks.\r\nAnatomy of the attack\r\nGeneral description\r\nThese attacks comprised of the classical scenario of specific targeted attacks, consisting of two major stages:\r\n1. 1 Initial infection\r\n2. 2 Additional modules deployed for intelligence gathering\r\nThe malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF\r\ndocuments) which were rigged with exploit code for known security vulnerabilities in the mentioned applications.\r\nIn addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the\r\nattackers also infiltrated victim network(s) via Java exploitation (known as the ‘Rhino’ exploit (CVE-2011-3544).\r\nRight after the victim opened the malicious document or visit malicious URL on a vulnerable system, the\r\nembedded malicious code initiated the setup of the main component which in turn handled further communication\r\nwith the C\u0026C servers.\r\nNext, the system receives a number of additional spy modules from the C\u0026C server, including modules to handle\r\ninfection of smartphones.\r\nThe main purpose of the spying modules is to steal information. This includes files from different cryptographic\r\nsystems, such as “Acid Cryptofiler”, (see https://fr.wikipedia.org/wiki/Acid_Cryptofiler) which is known to be\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 2 of 22\n\nused in organizations of European Union/European Parliament/European Commission since the summer of 2011.\r\nAll gathered information is packed, encrypted and only then transferred to the C\u0026C server.\r\nStep-by-step description (1st stage)\r\nDuring our investigation we couldn’t find any e-mails used in the attacks, only top level dropper documents.\r\nNevertheless, based on indirect evidence, we know that the e-mails can be sent using one of the following\r\nmethods:\r\nUsing an anonymous mailbox from a free public email service provider\r\nUsing mailboxes from already infected organizations\r\nE-mail subject lines as well as the text in e-mail bodies varied depending on the target (recipient). The attached\r\nfile contained the exploit code which activated a Trojan dropper in the system.\r\nWe have observed the use of at least three different exploits for previously known vulnerabilities: CVE-2009-3129\r\n(MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). The first attacks that used the exploit\r\nfor MS Excel started in 2010, while attacks targeting the MS Word vulnerabilities appeared in the summer of\r\n2012.\r\nAs a notable fact, the attackers used exploit code that was made public and originally came from a previously\r\nknown targeted attack campaign with Chinese origins. The only thing that was changed is the executable which\r\nwas embedded in the document; the attackers replaced it with their own code.\r\nThe embedded executable is a file-dropper, which extracts and runs three additional files.\r\n%TEMP%MSC.BAT\r\n%ProgramFiles%WINDOWS NTLHAFD.GCP (\u003c- This file name varies)\r\n%ProgramFiles%WINDOWS NTSVCHOST.EXE\r\nMSC.BAT file has the following contents:\r\nchcp 1251\r\n:Repeat\r\nattrib -a -s -h -r “%DROPPER_FILE%”\r\ndel “%DROPPER_FILE%”\r\nif exist “%DROPPER_FILE%” goto Repeat\r\ndel “%TEMP%msc.bat”\r\nAnother noteworthy fact is in the first line of this file, which is a command to switch the codepage of an infected\r\nsystem to 1251. This is required to address files and directories that contain Cyrillic characters in their names.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 3 of 22\n\nThe “LHAFD.GCP” file is encrypted with RC4 and compressed with the “Zlib” library. This file is essentially a\r\nbackdoor, which is decoded by the loader module (svchost.exe). The decrypted file is injected into system\r\nmemory and is responsible for communication with the C\u0026C server.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 4 of 22\n\nOn any infected system, every major task is performed by the main backdoor component. The main component is\r\nstarted only after its loader (“svchost.exe”) checks if the internet connection is available. It does so by connecting\r\nto three Microsoft hosts:\r\nupdate.microsoft.com\r\nwww.microsoft.com\r\nsupport.microsoft.com\r\nFigure – Hosts used to validate internet connection\r\nAfter the Internet connection is validated, the loader executes the main backdoor component that connects to its\r\nC\u0026C servers:\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 5 of 22\n\nCapture of malware’s communication with the C2\r\nThe connections with the C\u0026C are encrypted – different encryption algorithms are used to send and receive data.\r\nEncrypted communication with the C2\r\nDuring our investigation, we found more than 60 different command-and-control domains. Each malware sample\r\ncontains three such domains, which are hardcoded inside the main backdoor component:\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 6 of 22\n\nHardcoded C2 domains inside backdoor\r\nStep-by-step description (2nd stage)\r\nAfter a connection with the C\u0026C server is established, the backdoor starts the communication process, which\r\nleads to the loading of additional modules. These modules can be split into two categories: “offline” and “online”.\r\nThe main difference between these categories is their behavior on the infected system:\r\n“Offline”: exists as files on local disk, capable of creating its own system registry keys, local disk log files,\r\nand may communicate with C\u0026C servers on their own.\r\n“Online”: exists only in system memory and is never saved to local disk, do not create registry keys, all\r\nlogs are also kept in memory instead of local disk and sends the result of work to the C\u0026C server using\r\nown code.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 7 of 22\n\nThere is a notable module among all others, which is essentially created to be embedded into Adobe Reader and\r\nMicrosoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the\r\ntarget system. The module expects a specially crafted document with attached executable code and special tags.\r\nThe document may be sent to the victim via e-mail. It will not have an exploit code and will safely pass all\r\nsecurity checks. However, like with exploit case, the document will be instantly processed by the module and the\r\nmodule will start a malicious application attached to the document.\r\nThis trick can be used to regain access to the infected machines in case of unexpected C\u0026C servers\r\nshutdown/takeover.\r\nTimeline\r\nWe have identified over 1000 different malicious files related to over 30 modules of this Trojan kit. Most of them\r\nwere created between May 2010 and October 2012.\r\nThere were 115 file-creation dates identified which are related to these campaigns via emails during the last two\r\nand a half years. Concentration of file creation dates around a particular day may indicate date of the massive\r\nattacks (which was also confirmed by some of our side observations):\r\nYear 2010\r\n19.05.2010\r\n21.07.2010\r\n04.09.2010\r\nYear 2011\r\n05.01.2011\r\n14.03.2011\r\n05.04.2011\r\n23.06.2011\r\n06.09.2011\r\n21.09.2011\r\nYear 2012\r\n12.01.2012\r\nBelow is a list of sample attachment filenames that were sent to some of the victims:\r\nFile name:\r\nKatyn_-_opinia_Rosjan.xls\r\nFIEO contacts update.xls\r\nspisok sotrudnikov.xls\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 8 of 22\n\nList of shahids.xls\r\nSpravochnik.xls\r\nTelephone.xls\r\nBMAC Attache List – At 11 Oct_v1[1].XLS\r\nMERCOSUR_Imports.xls\r\nCópia de guia de telefonos (2).xls\r\nProgramme de fetes 2011.xls\r\n12 05 2011 updated.xls\r\ntelefonebi.xls\r\nTargets\r\nWe used two approaches to identify targets for these attacks. First, we used the Kaspersky Security Network\r\n(KSN) and then we set up our own sinkhole server. The data received using two independent ways was correlating\r\nand this confirmed objective findings.\r\nKSN statistics\r\nThe attackers used already detected exploit codes and because of this, in the beginning of the research we already\r\nhad some statistics of detections with our anti-malware software. We searched for similar detections for the period\r\nof 2011-2012.\r\nThat is how we discovered more than 300 unique systems, which had detected at least one module of this Trojan\r\nkit.\r\nRUSSIAN FEDERATION 35\r\nKAZAKHSTAN 21\r\nAZERBAIJAN 15\r\nBELGIUM 15\r\nINDIA 15\r\nAFGHANISTAN 10\r\nARMENIA 10\r\nIRAN 7\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 9 of 22\n\nTURKMENISTAN 7\r\nUKRAINE 6\r\nUNITED STATES 6\r\nVIET NAM 6\r\nBELARUS 5\r\nGREECE 5\r\nITALY 5\r\nMOROCCO 5\r\nPAKISTAN 5\r\nSWITZERLAND 5\r\nUGANDA 5\r\nUNITED ARAB EMIRATES 5\r\nBRAZIL 4\r\nFRANCE 4\r\nGEORGIA 4\r\nGERMANY 4\r\nJORDAN 4\r\nMOLDOVA 4\r\nSOUTH AFRICA 4\r\nTAJIKISTAN 4\r\nTURKEY 4\r\nUZBEKISTAN 4\r\nAUSTRIA 3\r\nCYPRUS 3\r\nKYRGYZSTAN 3\r\nLEBANON 3\r\nMALAYSIA 3\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 10 of 22\n\nQATAR 3\r\nSAUDI ARABIA 3\r\nCONGO 2\r\nINDONESIA 2\r\nKENYA 2\r\nLITHUANIA 2\r\nOMAN 2\r\nTANZANIA 2\r\nCountries with more than one infections\r\nOnce again, this is based on data from Kaspersky AV products. Apparently, real number and list of victim names is\r\nmuch larger than mentioned above.\r\nSinkhole statistics\r\nDuring our analysis, we uncovered more than 60 different domains used by different variants of the malware.\r\nOut of the list of domains, several were expired so we registered them to evaluate the number of victims\r\nconnecting to them.\r\nThe following domains have been registered and sinkholed by Kaspersky Lab:\r\nDomain Date sinkholed\r\nshellupdate.com 5-Dec-2012\r\nmsgenuine.net 19-Nov-2012\r\nmicrosoft-msdn.com 5-Nov-2012\r\nwindowsonlineupdate.com\r\ndll-host-update.com\r\nwindows-genuine.com\r\n2-Nov-2012\r\nAll the sinkholed domains currently point to “95.211.172.143”, which is Kasperskys’ sinkhole server.\r\nDuring the monitoring period (2- Nov 2012 – 10 Jan 2013), we registered over 55,000 connections to the sinkhole.\r\nThe most popular domain is “dll-host-update.com”, which is receiving most of the traffic.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 11 of 22\n\nFrom the point of view of country distribution of connections to the sinkhole, we have observed victims in 39\r\ncountries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 12 of 22\n\nInterestingly, when connecting to the sinkhole, the backdoors submit their unique victim ID, which allows us to\r\nseparate the multiple IPs per victims.\r\nBased on the traffic received to our sinkhole, we created the following list of unique victim IDs, countries and\r\npossible profiles:\r\nVictim ID Country Victim profile\r\n0706010C1BC0B9E5B702 Kazakhstan Gov research institute\r\n0F746C2F283E2FACE581 Kazakhstan ?\r\n150BD7E7449C42C66ED1 Kazakhstan ?\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 13 of 22\n\n15B7400DBC4975BFAEF6 Austria ?\r\n24157B5D2CD0CA8AA602 UAE ?\r\n3619E36303A2A56DC880 Russia Foreign Embassy\r\n4624C55DEF872FBF2A93 Spain ?\r\n4B5181583F843A904568 Spain ?\r\n4BB2783B8AEC0B439CE8 Switzerland ?\r\n5392032B24AAEE8F3333 Kazakhstan ?\r\n569530675E86118895C4 Pakistan ?\r\n57FE04BA107DD56D2820 Iran Foreign Embassy\r\n5D4102CD1D87417FF93B Russia Gov research institute\r\n5E65486EF8CC4EE4DB5B Japan Foreign Trade Commission\r\n6127D685ED1E72E09201 Kazakhstan ?\r\n6B9AFF89A02958C79C17 Ireland Foreign Embassy\r\n6D97B24C08DD64EEDE03 Czech Republic ?\r\n7B14DE85C80368337E87 Turkey ?\r\n89BF96469244534DC092 Belarus Gov research institute\r\n8AA071A22BEDD8D8EC13 Moldova Government\r\n8C58407030570D3A3F52 Albania ?\r\n947827A169348FB01E2F Bosnia and Herzegovina ?\r\nB34C94D561B348EAC75D Switzerland ?\r\nB49FC93701E7B7F83C44 Belgium ?\r\nB6E4946A47FC3963ABC1 Kazakhstan Energy research group\r\nC978C25326D96C995038 Russia ?\r\nD48A783D288DC72A702B Kazakhstan Aerospace\r\nDAE795D285E0A01ADED5 Russia Trading company\r\nDD767EEEF83A62388241 Russia Gov research institute\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 14 of 22\n\nIn some cases, it is possible to create a profile of the victim based on the IP address; in most of the cases, however,\r\nthe identity of the victim remains unknown.\r\nKSN + sinkhole data\r\nSome of the victim organizations were identified using IP addresses and public WHOIS information or remote\r\nsystem names.\r\nMost “interesting” out of those are:\r\nAlgeria – Embassy\r\nAfghanistan – Gov, Military, Embassy,\r\nArmenia – Gov, Embassy\r\nAustria – Embassy\r\nAzerbaijan – Oil/Energy, Embassy, Research,\r\nBelarus – Research, Oil/Energy, Gov, Embassy\r\nBelgium – Embassy\r\nBosnia and Herzegovina – Embassy\r\nBotswana – Embassy\r\nBrunei Darussalam – Gov\r\nCongo – Embassy\r\nCyprus – Embassy, Gov\r\nFrance – Embassy, Military\r\nGeorgia – Embassy\r\nGermany – Embassy\r\nGreece – Embassy\r\nHungary -Embassy\r\nIndia – Embassy\r\nIndonesia – Embassy\r\nIran – Embassy\r\nIraq – Gov\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 15 of 22\n\nIreland – Embassy\r\nIsrael – Embassy\r\nItaly -Embassy\r\nJapan – Trade, Embassy\r\nJordan – Embassy\r\nKazakhstan – Gov, Research, Aerospace, Nuclear/Energy, Military\r\nKenya – Embassy\r\nKuwait – Embassy\r\nLatvia – Embassy\r\nLebanon – Embassy\r\nLithuania – Embassy\r\nLuxembourg – Gov\r\nMauritania – Embassy\r\nMoldova – Gov, Military, Embassy\r\nMorocco – Embassy\r\nMozambique – Embassy\r\nOman – Embassy\r\nPakistan – Embassy\r\nPortugal – Embassy\r\nQatar – Embassy\r\nRussia – Embassy, Research, Military, Nuclear/Energy\r\nSaudi Arabia – Embassy\r\nSouth Africa – Embassy\r\nSpain – Gov, Embassy\r\nSwitzerland – Embassy\r\nTanzania – Embassy\r\nTurkey – Embassy\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 16 of 22\n\nTurkmenistan – Gov, Oil/Energy\r\nUganda – Embassy\r\nUkraine – Military\r\nUnited Arab Emirates – Oil/Energy, Embassy, Gov\r\nUnited States – Embassy\r\nUzbekistan – Embassy\r\nС\u0026C information\r\nA list of the most popular domains used for command and control can be found below:\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 17 of 22\n\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 18 of 22\n\nInterestingly, although the domain “dll-host-update.com” appears in one of the malware configurations, it had not\r\nbeen registered by the attackers. The domain has since been registered by Kaspersky Lab on Nov 2nd, 2012 to\r\nmonitor the attacker’s activities.\r\nAnother interesting example is “dll-host-udate.com” – the “udate” part appears to be a typo.\r\nAll the domains used by attackers appear to have been registered between 2007-2012. The oldest known domain\r\nwas registered in Nov 2007; the newest on May 2012.\r\nMost of the domains have been registered using the service “reg.ru”, but other services such as “webdrive.ru”,\r\n“webnames.ru” or “timeweb.ru” have been used as well.\r\nDuring our monitoring, we observed the domains pointing to several malicious webservers. A list of servers with\r\nconfirmed malicious behavior can be found below.\r\nIn total, we have identified 10 different servers which exhibited confirmed malicious behavior. Most of these\r\nsevers are located in Germany, at Hetzner Online Ag.\r\nDuring our analysis, we were able to obtain an image of one of the command-and-control servers. The server itself\r\nproved to be a proxy, which was forwarding the request to another server on port 40080. The script responsible for\r\nredirections was found in /root/scp.pl and relies on the “socat” tool for stream redirection.\r\nBy scanning the Internet for computers with port 40080 open, we were able to identify three such servers in total,\r\nwhich we call “mini-motherships”:\r\nConnecting to these hosts on port 40080 and fetching the index page, we get the following standard content which\r\nis identical in all C\u0026Cs:\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 19 of 22\n\nFetching the index info (via HTTP “HEAD”) for these servers, reveals the following:\r\ncurl -I –referer “http://www.google.com/” –user-agent “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”\r\nhttp://31.41.45.139:40080\r\nHTTP/1.1 200 OK\r\nDate: Mon, 12 Nov 2012 09:58:37 GMT\r\nServer: Apache\r\nLast-Modified: Tue, 21 Feb 2012 09:00:41 GMT\r\nETag: “8c0bf6-ba-4b975a53906e4”\r\nAccept-Ranges: bytes\r\nContent-Length: 186\r\nContent-Type: text/html\r\ncurl -I –referer “http://www.google.com/” –user-agent “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”\r\nhttp://178.63.208.63:40080\r\nHTTP/1.1 200 OK\r\nDate: Mon, 12 Nov 2012 09:59:09 GMT\r\nServer: Apache\r\nLast-Modified: Tue, 21 Feb 2012 09:00:41 GMT\r\nETag: “8c0bf6-ba-4b975a53906e4”\r\nAccept-Ranges: bytes\r\nContent-Length: 186\r\nContent-Type: text/html\r\nIt should be noted that the “last modified” field of the pages points to the same date: Tue, 21 Feb 2012 09:00:41\r\nGMT. This is important and probably indicates that the three known mini-motherships are probably just proxies\r\nthemselves, pointing to the same top level “mothership” server.\r\nThis allows us to draw the following diagram of the C\u0026C infrastructure as of November 2012:\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 20 of 22\n\nFor the Command and Control servers, the various generations of the backdoor connect to different scripts:\r\nDomain Script location\r\nnt-windows-update.com, nt-windows-check.com, nt-windows-online.com\r\n/cgi-bin/nt/th\r\n/cgi-bin/nt/sk\r\ndll-host-update.com /cgi-bin/dllhost/ac\r\nmicrosoft-msdn.com\r\n/cgi-bin/ms/check\r\n/cgi-bin/ms/flush\r\nwindows-genuine.com\r\n/cgi-bin/win/wcx\r\n/cgi-bin/win/cab\r\nwindowsonlineupdate.com /cgi-bin/win/cab\r\nFor instance, the script “/cgi-bin/nt/th” is being used to receive commands from the command-and-control server,\r\nusually in the form of new plugins to run on the victim’s computer. The “/cgi-bin/nt/sk” script is called by the\r\nrunning plugins to upload stolen data and information about the victim.\r\nWhen connecting to the C\u0026C, the backdoor identifies itself with a specific string which includes a hexadecimal\r\nvalue that appears to be the victim’s unique ID. Different variants of the backdoor contain different victim IDs.\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 21 of 22\n\nPresumably, this allows the attackers to distinguish between the multitudes of connections and perform specific\r\noperations for each victim individually.\r\nFor instance, a top level XLS dropper presumably used against a Polish target, named “Katyn_-\r\n_opinia_Rosjan.xls” contains the hardcoded victim ID “F50D0B17F870EB38026F”. A similar XLS named\r\n“tactlist_05-05-2011_.8634.xls / EEAS New contact list (05-05-2011).xls” possibly used in Moldova contains a\r\nvictim ID “FCF5E48A0AE558F4B859”.\r\nPart 2 of this paper will cover malware modules and provide more technical details about their operation.\r\nSource: https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nhttps://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8"
	],
	"report_names": [
		"#8"
	],
	"threat_actors": [],
	"ts_created_at": 1775434741,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6855a33eedc17d66c9ba54db4bdfaef68505d8a2.pdf",
		"text": "https://archive.orkl.eu/6855a33eedc17d66c9ba54db4bdfaef68505d8a2.txt",
		"img": "https://archive.orkl.eu/6855a33eedc17d66c9ba54db4bdfaef68505d8a2.jpg"
	}
}