New name, Same Game: Red October and the Question of Attribution

Earlier this month, Kaspersky Labs announced the discovery of a new style of cyber espionage campaign.  Research on this threat campaign began in October of 2012 according Kaspersksy’s whitepaper.    I’m not convinced that it is entirely new but let’s press on and see what the boys there have to say.  The researchers there began their investigation by examining the aftermath of a series of attacks conducted against networks belonging to the diplomatic services of various governments and their respective agencies.

A large covert network was revealed and summarily reviewed during the investigation code named “Red October”.  Certain parties have made the claim that the choice of code name is directly tied to the source of origin however, there has thus far been no evidence (beyond the speculative) presented that supports this.  According to Kaspersky Labs the earliest known evidence related to this campaign dates back to May 2007 (verified through domain registration information – used for C2s)  and thus far was still active as of January 15, 2013.

The advent of the Red October cyber espionage campaign comes at an interesting time.   By all appearances it has the look and feel of a state-sponsored APT style attack however there are some key differences that have led most experts to conclude that this is something entirely different.  What makes this campaign interesting isn’t the fact that there was an advanced and elaborate exfiltration network in place, advanced malware kits, importation of exploits or that the information harvested from the infected networks was reused in later attacks.  No.  What makes this campaign intriguing is the question that surrounds the attribution of the threat actor.  The hypothesis is that this is the work of organized criminal entities who have decided to switch gears and jump into the world of espionage vis-a-vis cyber means.  That seems plausible given the risk vs. reward argument that seems to govern these organizations decision making when it comes down to moving from one illicit market in favor of another.

The actor identification seems to be the most intriguing (and clearly news worthy) aspect of this campaign.   Kaspersky Labs asserted in their report that due to the registration of the domains (C2 servers) and the “numerous” artifacts left in the malware executables that the threat actors were most likely from a Russian-speaking region.   Though there are no other examples of work – attacks or executables known, that is the assertion.

But in an age where attribution remains difficult at best does it make sense to presume that the nationality of the threat actors is Russian based off of domain registration records?  I guess they forgot that criminals often fraudulently register domains using falsified information on a regular basis.   It may be premature to assert that the nationality of the threat actor corresponds to the C2 server.  Further, it might be premature to assert that the threat actor is not in fact nation state sponsored but is merely criminal looking to segue away from traditional (or non-traditional depending on their degree of sophistication) criminal activity.  So where does that leave us with the case of Red October?  I think it leaves us in a place where more research is required and additional analysis warranted.  The code is clean and the approach the threat actors employed noteworthy however, clean and sophisticated code and a noteworthy approach are not necessarily enough to determine attribution.