It appears that the attackers behind the Red October cyberespionage campaign are taking their ball and going home. Since the attack came to light on Monday, the attackers have begun shutting down their infrastructure and the hosting providers and registrars involved with some of the command-and-control domains are shutting those down, as well.
The Red October campaign has been ongoing for more than five years and the as-yet-unknown attackers behind it have been focusing their attention on a variety of targets, including embassies, research facilities, military facilities and other high-value institutions. The campaign has been wide-ranging and included targets in countries on several continents. Backing the campaign up were more than 60 C&C domains, but now researchers say that infrastructure is beginning to come apart at the seams.
In an interview yesterday, Costin Raiu of the Kaspersky Lab GReAT Team, which has done much of the research on Red October, said that since Monday when the first report of the campaign came out hosting providers and domain owners have been shutting down servers used to help run the campaign.
“It’s clear that the infrastructure is being shut down. This time it’s being shut down for good,” Raiu said. “Not only the registrars killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation.”
The C&C infrastructure used by the Red October attackers is a large one, with more than 60 servers discovered so far. Raiu said that many of the servers used in the attack were registered in Russia and located in Russia or Germany. However, Raiu said that those machines were mostly just first-level proxies. Behind that were more levels of servers used for different parts of the operation.
The full extent of the C&C infrastructure likely hasn’t been discovered yet, though, Raiu said. He estimated there may be several dozen more servers involved in the campaign, a number that would rival the C&C infrastructure of the Flame malware. Red October has some impressive stats in its own right, though. It has a massive number of modules involved in the malware operation, with individual groups of modules tasked with reconnaissance, data collection, infecting mobile devices, etc.
The picture that emerges from the details of Red October is that of a rather large and comprehensive attack framework designed to enable the attackers to conduct long-term operations against chosen targets. And it’s likely that all of the details have not yet come to light.