The Blog

Demystifying Rocra


If you have stumbled across the phrase 'Red October' in the past few weeks, you may think it sounds like an operation from a John le Carré novel. In reality, you wouldn't be far from the truth.

Red October, or 'Rocra' for short, is the name we've given to a highly sophisticated cyber espionage campaign. Unlike the cyber attacks we're used to hearing and reading about everyday, where the aim is to steal personal information for financial gain, Rocra has been specifically designed by more sinister cybercriminals to steal sensitive data from significant targets around the world, including diplomatic and government agencies, research institutions, energy and nuclear groups and trade and aerospace organisations.

So how does it work, what's its purpose, who is behind the attack and - perhaps most importantly - what does it mean for the rest of us?

How does it work?

The infection begins with a spear-phishing attack - i.e. a phishing e-mail directed to a specific person within an organisation. Malware is delivered as an e-mail attachment containing code designed to exploit weaknesses in Microsoft Word and Excel. Once the attachment is run, additional Rocra modules are installed on the computer.

Rocra has been designed to make it easy for attackers to add new features and collect specific information from specific victims. The attackers control and co-ordinate activity on the compromised computers through a series of Control-and-Command (C&C) servers spread across 60 different domains.

What's its purpose?

The purpose of the Rocra malware is to steal data from their chosen victims. What's more, it's not just taking data from traditional desktop PCs, but also personal mobile devices, business network equipment and removable devices, such as USB's, in the compromised organisations. The intention may be to sell the data on the black market or use it themselves.

Who's behind the attack?

We don't have information that will allow us to say who the attackers are. However, the exploits used in the attack seem to have been created by Chinese hackers and Rocra's modules have been developed by Russian speakers.

What's the significance of Rocra?

From the list of organisations we know it has targeted, it's not hard to imagine the potential impact Rocra could have. But what about the rest of us?

If you or your organisation has never been the victim of cybercrime, it's easy to read the headlines and think 'it won't happen to us' and that these types of attacks are reserved only for large companies who maintain 'critical infrastructure' systems within a country. The reality is, however, any organisation can become a victim. All organisations hold data that could be of value to cybercriminals, or could be used as a stepping-stone to reach other companies.

Even though such attacks are typically very sophisticated, many begin by 'hacking a human' - tricking an employee into disclosing information that can be used to gain access to corporate resources. The huge volume of information that we now share online and the growing use of social media in business has helped to fuel such attacks. Therefore, if you work in a public facing role (such as sales or marketing) you may find yourself particularly vulnerable to attack.

Targeted attacks such as Red October may seem irrelevant to the point of being alien to the everyday consumer. However, the reality is that we can expect the number of such targeted attacks to grow in 2013 and beyond. You might not think so, but these can affect each and every one of us. Therefore, the best way to protect against these is to be on your guard and make sure you don't become the weakest link in the security of your organisation.

Before You Go