{ "id": "e8609439-d73e-460e-af45-0f183ef51a88", "created_at": "2026-04-06T00:09:50.959611Z", "updated_at": "2026-04-10T13:12:33.582553Z", "deleted_at": null, "sha1_hash": "82ca6ad6ec213c779c2c7c6f33ee5a1b7057d2c7", "title": "The “Red October” Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1496415, "plain_text": "The “Red October” Campaign - An Advanced Cyber Espionage\r\nNetwork Targeting Diplomatic and Government Agencies\r\nBy GReAT\r\nPublished: 2013-01-14 · Archived: 2026-04-02 12:39:05 UTC\r\nHere’s a link to the full paper (part 1) about our Red October research. During the next days, we’ll be\r\npublishing Part 2, which contains a detailed technical analysis of all the known modules. Please stay tuned.\r\nDuring the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks\r\nat diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile\r\ndevices, computer systems and network equipment.\r\nKaspersky Lab’s researchers have spent several months analyzing this malware, which targets specific\r\norganizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western\r\nEurope and North America.\r\nThe campaign, identified as “Rocra”, short for “Red October”, is currently still active with data being sent to\r\nmultiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of\r\nthe Flame malware. Registration data used for the purchase of C\u0026C domain names and PE timestamps from\r\ncollected executables suggest that these attacks date as far back as May 2007.\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 1 of 14\n\nSome key findings from our investigation:\r\nThe attackers have been active for at least five years, focusing on diplomatic and governmental agencies of\r\nvarious countries across the world. Information harvested from infected networks is reused in later attacks.\r\nFor example, stolen credentials were compiled in a list and used when the attackers needed to guess\r\npasswords and network credentials in other locations. To control the network of infected machines, the\r\nattackers created more than 60 domain names and several server hosting locations in different countries\r\n(mainly Germany and Russia). The C\u0026C infrastructure is actually a chain of servers working as proxies\r\nand hiding the location of the true -mothership- command and control server.\r\nThe attackers created a multi-functional framework which is capable of applying quick extension of the\r\nfeatures that gather intelligence. The system is resistant to C\u0026C server takeover and allows the attacker to\r\nrecover access to infected machines using alternative communication channels.\r\nBeside traditional attack targets (workstations), the system is capable of stealing data from mobile devices,\r\nsuch as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment\r\nconfiguration (Cisco); hijacking files from removable disk drives (including already deleted files via a\r\ncustom file recovery procedure); stealing e-mail databases from local Outlook storage or remote\r\nPOP/IMAP server; and siphoning files from local network FTP servers.\r\nWe have observed the use of at least three different exploits for previously known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). The earliest\r\nknown attacks used the exploit for MS Excel and took place in 2010 and 2011, while attacks targeting the\r\nMS Word vulnerabilities appeared in the summer of 2012.\r\nThe exploits from the documents used in spear phishing were created by other attackers and employed\r\nduring different cyber attacks against Tibetan activists as well as military and energy sector targets in Asia.\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 2 of 14\n\nThe only thing that was changed is the executable which was embedded in the document; the attackers\r\nreplaced it with their own code.\r\nSample fake image used in one of the Rocra spear phishing attacks.\r\nDuring lateral movement in a victim’s network, the attackers deploy a module to actively scan the local\r\narea network, find hosts vulnerable for MS08-067 (the vulnerability exploited by Conficker) or accessible\r\nwith admin credentials from its own password database. Another module used collected information to\r\ninfect remote hosts in the same network.\r\nBased on registration data of the C\u0026C servers and numerous artifacts left in executables of the malware,\r\nwe strongly believe that the attackers have Russian-speaking origins. Current attackers and executables\r\ndeveloped by them have been unknown until recently, they have never related to any other targeted cyber\r\nattacks. Notably, one of the commands in the Trojan dropper switches the codepage of an infected machine\r\nto 1251 before installation. This is required to address files and directories that contain Cyrillic characters\r\nin their names.\r\nRocra FAQ:\r\nWhat is Rocra? Where does the name come from? Was Operation Rocra targeting any specific industries,\r\norganizations or geographical regions?\r\nRocra (short for “Red October”) is a targeted attack campaign that has been going on for at least five years. It has\r\ninfected hundreds of victims around the world in eight main categories:\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 3 of 14\n\n1. 1 Government\r\n2. 2 Diplomatic / embassies\r\n3. 3 Research institutions\r\n4. 4 Trade and commerce\r\n5. 5 Nuclear / energy research\r\n6. 6 Oil and gas companies\r\n7. 7 Aerospace\r\n8. 8 Military\r\nIt is quite possible there are other targeted sectors which haven’t been discovered yet or have been attacked in the\r\npast.\r\nHow and when was it discovered?\r\nWe have come by the Rocra attacks in October 2012, at the request of one of our partners. By analysing the attack,\r\nthe spear phishing and malware modules, we understood the scale of this campaign and started dissecting it in\r\ndepth.\r\nWho provided you with the samples?\r\nOur partner who originally pointed us to this malware prefers to remain anonymous.\r\nHow many infected computers have been identified by Kaspersky Lab? How many victims are there? What\r\nis the estimated size of Operation Red October on a global scale?\r\nDuring the past months, we’ve counted several hundreds of infections worldwide – all of them in top locations\r\nsuch as government networks and diplomatic institutions. The infections we’ve identified are distributed mostly in\r\nEastern Europe, but there are also reports coming from North America and Western European countries such as\r\nSwitzerland or Luxembourg.\r\nBased on our Kaspersky Security Network (KSN) here’s a list of countries with most infections (only for those\r\nwith more than 5 victims):\r\nCountry Infections\r\nRUSSIAN FEDERATION 35\r\nKAZAKHSTAN 21\r\nAZERBAIJAN 15\r\nBELGIUM 15\r\nINDIA 14\r\nAFGHANISTAN 10\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 4 of 14\n\nARMENIA 10\r\nIRAN; ISLAMIC REPUBLIC OF 7\r\nTURKMENISTAN 7\r\nUKRAINE 6\r\nUNITED STATES 6\r\nVIET NAM 6\r\nBELARUS 5\r\nGREECE 5\r\nITALY 5\r\nMOROCCO 5\r\nPAKISTAN 5\r\nSWITZERLAND 5\r\nUGANDA 5\r\nUNITED ARAB EMIRATES 5\r\nFor the sinkhole statistics see below.\r\nWho is behind/responsible for this operation? Is this a nation-state sponsored attack?\r\nThe information we have collected so far does not appear to point towards any specific location, however, two\r\nimportant factors stand out:\r\nThe exploits appear to have been created by Chinese hackers.\r\nThe Rocra malware modules have been created by Russian-speaking operatives.\r\nCurrently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the\r\nattackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such\r\ninformation could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.\r\nAre there any interesting texts in the malware that can suggest who the attackers are?\r\nSeveral Rocra modules contain interesting typos and mis-spellings:\r\nnetwork_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”\r\nimapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”\r\nmapi_client: “Default Messanger”, “BUFEER IS FULL”\r\nmsoffice_plugin: “my_encode my_dencode”\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 5 of 14\n\nwinmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”\r\nPswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–“\r\nThe word “PROGA” used in here might refer to transliteration of Russian slang “ПРОГА”, which literally means\r\nan application or a program among Russian-speaking software engineers.\r\nIn particular, the word “Zakladka” in Russian can mean:\r\n“bookmark”\r\n(more likely) a slang term meaning “undeclared functionality”, i.e. in software or hardware. However, it\r\nmay also mean a microphone embedded in a brick of the embassy building.\r\nThe C++ class that holds the C\u0026C configuration parameters is called “MPTraitor” and the corresponding\r\nconfiguration section in the resources is called “conn_a”. Some examples include:\r\nconn_a.D_CONN\r\nconn_a.J_CONN\r\nconn_a.D_CONN\r\nconn_a.J_CONN\r\nWhat kind of information is being hijacked from infected machines?\r\nInformation stolen from infected systems includes documents with extensions:\r\ntxt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,\r\ncif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,\r\naciddsk, acidpvr, acidppr, acidssa.\r\nIn particular, the “acid*” extensions appear to refer to the classified software “Acid Cryptofiler”, which is used by\r\nseveral entities such as the European Union and/or NATO.\r\nWhat is the purpose/objective of this operation? What were the attackers looking for by conducting this\r\nsustained cyber-espionage campaign for so many years?\r\nThe main purpose of the operation appears to be the gathering of classified information and geopolitical\r\nintelligence, although it seems that the information gathering scope is quite wide. During the past five years, the\r\nattackers collected information from hundreds of high profile victims although it’s unknown how the information\r\nwas used.\r\nIt is possible that the information was sold on the black market, or used directly.\r\nWhat are the infection mechanisms for the malware? Does it have self-propagating (worm) capabilities?\r\nHow does it work? Do the attackers have a customized attack platform?\r\nThe main malware body acts as a point of entry into the system which can later download modules used for lateral\r\nmovement. After initial infection, the malware won’t propagate by itself – typically, the attackers would gather\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 6 of 14\n\ninformation about the network for a few days, identify key systems and then deploy modules which can\r\ncompromise other computers in the network, for instance by using the MS08-067 exploit.\r\nIn general, the Rocra framework is designed for executing “tasks” that are provided by its C\u0026C servers. Most of\r\nthe tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and\r\nthen immediately discarded.\r\nSeveral tasks however need to be constantly present in the system, i.e. waiting for the iPhone or Nokia mobile to\r\nconnect. These tasks are provided as PE EXE files and are installed in the infected machine.\r\nExamples of “persistent” tasks\r\nOnce a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted\r\nfiles are restored using a built in file system parser\r\nWait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the\r\nphone, its phone book, contact list, call history, calendar, SMS messages, browsing history\r\nWait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile\r\nversion of the Rocra main component\r\nWait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded\r\nin that document, implementing a one-way covert channel of communication that can be used to restore\r\ncontrol of the infected machine\r\nRecord all the keystrokes, make screenshots\r\nExecute additional encrypted modules according to a pre-defined schedule\r\nRetrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using\r\npreviously obtained credentials\r\nExamples of “one-time” tasks\r\nCollect general software and hardware environment information\r\nCollect filesystem and network share information, build directory listings, search and retrieve files by mask\r\nprovided by the C\u0026C server\r\nCollect information about installed software, most notably Oracle DB, RAdmin, IM software including\r\nMail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones,\r\nUSB drives\r\nExtract browsing history from Chrome, Firefox, Internet Explorer, Opera\r\nExtract saved passwords for Web sites, FTP servers, mail and IM accounts\r\nExtract Windows account hashes, most likely for offline cracking\r\nExtract Outlook account information\r\nDetermine the external IP address of the infected machine\r\nDownload files from FTP servers that are reachable from the infected machine (including those that are\r\nconnected to its local network) using previously obtained credentials\r\nWrite and/or execute arbitrary code provided within the task\r\nPerform a network scan, dump configuration data from Cisco devices if available\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 7 of 14\n\nPerform a network scan within a predefined range and replicate to vulnerable machines using the MS08-\r\n067 vulnerability\r\nReplicate via network using previously obtained administrative credentials\r\nThe Rocra framework was designed by the attackers from scratch and hasn’t been used in any other operations.\r\nWas the malware limited to only workstations or did it have additional capabilities, such as a mobile\r\nmalware component?\r\nSeveral mobile modules exist, which are designed to steal data from several types of devices:\r\nWindows Mobile\r\niPhone\r\nNokia\r\nThese modules are installed in the system and wait for mobile devices to be connected to the victim’s machine.\r\nWhen a connection is detected, the modules start collecting data from the mobile phones.\r\nHow many variants, modules or malicious files were identified during the overall duration of Operation\r\nRed October?\r\nDuring our investigation, we’ve uncovered over 1000 modules belonging to 30 different module categories. These\r\nhave been created between 2007 with the most recent being compiled on 8th Jan 2013.\r\nHere’s a list of known modules and categories:\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 8 of 14\n\nWere initial attacks launched at select “high-profile” victims or were they launched in series of larger\r\n(wave) attacks at organizations/victims?\r\nAll the attacks are carefully tuned to the specifics of the victims. For instance, the initial documents are\r\ncustomized to make them more appealing and every single module is specifically compiled for the victim with a\r\nunique victim ID inside.\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 9 of 14\n\nLater, there is a high degree of interaction between the attackers and the victim – the operation is driven by the\r\nkind of configuration the victim has, which type of documents the use, installed software, native language and so\r\non.\r\nCompared to Flame and Gauss, which are highly automated cyberespionage campaigns, Rocra is a lot more\r\n“personal” and finely tuned for the victims.\r\nIs Rocra related in any way to the Duqu, Flame and Gauss malware?\r\nSimply put, we could not find any connections between Rocra and the Flame / Tilded platforms.\r\nHow does Operation Rocra compare to similar campaigns such as Aurora and Night Dragon? Any notable\r\nsimilarities or differences?\r\nCompared to Aurora and Night Dragon, Rocra is a lot more sophisticated. During our investigation we’ve\r\nuncovered over 1000 unique files, belonging to about 30 different module categories. Generally speaking, the\r\nAurora and Night Dragon campaigns used relatively simple malware to steal confidential information.\r\nWith Rocra, the attackers managed to stay in the game for over 5 years and evade detection of most antivirus\r\nproducts while continuing to exfiltrate what must be hundreds of Terabytes by now.\r\nHow many Command \u0026 Control servers are there? Did Kaspersky Lab conduct any forensic analysis on\r\nthem?\r\nDuring our investigation, we uncovered more than 60 domain names used by the attackers to control and retrieve\r\ndata from the victims. The domain names map to several dozen IPs located mostly in Russia and Germany.\r\nHere’s an overview of the Rocra’s command and control infrastructure, as we believe it looks from our\r\ninvestigations:\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 10 of 14\n\nMore detailed information about the Command and Control servers will be revealed at a later date.\r\nDid you sinkhole any of the Command \u0026 Control servers?\r\nWe were able to sinkhole six of the over 60 domains used by the various versions of the malware. During the\r\nmonitoring period (2 Nov 2012 – 10 Jan 2013), we registered over 55,000 connections to the sinkhole. The\r\nnumber of different IPs connecting to the sinkhole was 250.\r\nFrom the point of view of country distribution of connections to the sinkhole, we have observed victims in 39\r\ncountries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 11 of 14\n\nSinkhole statistics – 2 Nov 2012 – 10 Jan 2013\r\nIs Kaspersky Lab working with any governmental organizations, Computer Emergency Response Teams\r\n(CERTs), law enforcement agencies or security companies as part of the investigation and disinfection\r\nefforts?\r\nKaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency\r\nResponse Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red\r\nOctober by providing technical expertise and resources for remediation and mitigation procedures.\r\nKaspersky Lab would like to express their thanks to: US-CERT, the Romanian CERT and the Belarusian CERT\r\nfor their assistance with the investigation.\r\nIf you are a CERT and would like more information about infections in your country, please contact us at\r\ntheflame@kaspersky.com.\r\nHere’s a link to the full paper (part 1) about our Red October research. During the next days, we’ll be\r\npublishing Part 2, which contains a detailed technical analysis of all the known modules. Please stay tuned.\r\nA list of MD5s of known documents used in the Red October attacks:\r\n114ed0e5298149fc69f6e41566e3717a\r\n1f86299628bed519718478739b0e4b0c\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 12 of 14\n\n2672fbba23bf4f5e139b10cacc837e9f\r\n350c170870e42dce1715a188ca20d73b\r\n396d9e339c1fd2e787d885a688d5c646\r\n3ded9a0dd566215f04e05340ccf20e0c\r\n44e70bce66cdac5dc06d5c0d6780ba45\r\n4bfa449f1a351210d3c5b03ac2bd18b1\r\n4ce5fd18b1d3f551a098bb26d8347ffb\r\n4daa2e7d3ac1a5c6b81a92f4a9ac21f1\r\n50bd553568422cf547539dd1f49dd80d\r\n51edea56c1e83bcbc9f873168e2370af\r\n5d1121eac9021b5b01570fb58e7d4622\r\n5ecec03853616e13475ac20a0ef987b6\r\n5f9b7a70ca665a54f8879a6a16f6adde\r\n639760784b3e26c1fe619e5df7d0f674\r\n65d277af039004146061ff01bb757a8f\r\n6b23732895daaad4bd6eae1d0b0fef08\r\n731c68d2335e60107df2f5af18b9f4c9\r\n7e5d9b496306b558ba04e5a4c5638f9f\r\n82e518fb3a6749903c8dc17287cebbf8\r\n85baebed3d22fa63ce91ffafcd7cc991\r\n91ebc2b587a14ec914dd74f4cfb8dd0f\r\n93d0222c8c7b57d38931cfd712523c67\r\n9950a027191c4930909ca23608d464cc\r\n9b55887b3e0c7f1e41d1abdc32667a93\r\n9f470a4b0f9827d0d3ae463f44b227db\r\na7330ce1b0f89ac157e335da825b22c7\r\nb9238737d22a059ff8da903fbc69c352\r\nc78253aefcb35f94acc63585d7bfb176\r\nfc3c874bdaedf731439bbe28fc2e6bbe\r\nbb2f6240402f765a9d0d650b79cd2560\r\nbd05475a538c996cd6cafe72f3a98fae\r\nc42627a677e0a6244b84aa977fbea15d\r\ncb51ef3e541e060f0c56ac10adef37c3\r\nceac9d75b8920323477e8a4acdae2803\r\ncee7bd726bc57e601c85203c5767293c\r\nd71a9d26d4bb3b0ed189c79cd24d179a\r\nd98378db4016404ac558f9733e906b2b\r\ndc4a977eaa2b62ad7785b46b40c61281\r\ndc8f0d4ecda437c3f870cd17d010a3f6\r\nde56229f497bf51274280ef84277ea54\r\nec98640c401e296a76ab7f213164ef8c\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 13 of 14\n\nf0357f969fbaf798095b43c9e7a0cfa7\r\nf16785fc3650490604ab635303e61de2\r\nSource: https://securelist.com/the-red-october-campaign/57647\r\nhttps://securelist.com/the-red-october-campaign/57647\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-red-october-campaign/57647" ], "report_names": [ "57647" ], "threat_actors": [ { "id": "ea844ee6-eb12-42c0-8426-11395fe81e6f", "created_at": "2022-10-25T15:50:23.300796Z", "updated_at": "2026-04-10T02:00:05.32389Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "Night Dragon" ], "source_name": "MITRE:Night Dragon", "tools": [ "at", "gsecdump", "zwShell", "PsExec", "ASPXSpy", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "09a8f8fe-e907-47b4-8709-a97717dde3cc", "created_at": "2022-10-25T16:07:23.90252Z", "updated_at": "2026-04-10T02:00:04.783553Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "ETDA:Night Dragon", "tools": [ "ASPXSpy", "ASPXTool", "Cain \u0026 Abel", "gsecdump", "zwShell" ], "source_id": "ETDA", "reports": null }, { "id": "020794ec-7315-47de-818c-2032c362fd15", "created_at": "2023-01-06T13:46:38.306576Z", "updated_at": "2026-04-10T02:00:02.920647Z", "deleted_at": null, "main_name": "Night Dragon", "aliases": [ "G0014" ], "source_name": "MISPGALAXY:Night Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434190, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82ca6ad6ec213c779c2c7c6f33ee5a1b7057d2c7.pdf", "text": "https://archive.orkl.eu/82ca6ad6ec213c779c2c7c6f33ee5a1b7057d2c7.txt", "img": "https://archive.orkl.eu/82ca6ad6ec213c779c2c7c6f33ee5a1b7057d2c7.jpg" } }