by February 19, 2013 0 comments

1. Was email the only vector to launching the attack?

During our investigation, three attack vectors have been identified, which take advantage of vulnerabilities in Word and Excel.

These are exploited through Word and Excel documents which are sent to the victims by e-mail.

In addition to these 3, another attack vector was discovered after the announcement. For details please see:



2. What is the level of risk to small and medium businesses from Red October?

During past 5 years, Red October targeted specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but also in Western Europe and North America.

Our analysis indicates a focus on diplomatic and governmental institutions, however, there are also private companies that have been hit, notably in the energy and oil/gas sectors.

The danger from Red October comes from the fact that the attackers specialize in profiling the victims and stealing every single bit of information from them, sometimes even in encrypted formats.

SMBs need to apply security countermeasures in order to defend themselves against Red October and other similar attacks.

3. What is the best way to avoid falling into the trap of spear phishing?

The most important advice is to update everything (Windows, Office, Adobe Reader, disable Java) and run a security solution.

In many cases, these attacks rely on older, known exploits which can be mitigated this way.

In some cases however, the attackers are using 0-days, which are harder to defend against.

We recommend using Windows 7 x64 (64 bit version of Windows – the 64 bit part is very important because it offers additional protection) and running a security solution which has 0-days defense mechanisms implemented.

Our products for instance rely on whitelisting, cloud and Advanced Exploit Prevention (AEP) to fight 0-days.

4. How did the attack remain hidden for so long?

By focusing on super high profile victims as opposed to spamming everybody, the attackers managed to stay under the radar for so long.

In addition, when targets in Governments or Diplomatic institutions are attacked, they rarely disclose information or share it with the ITSec community.

Because of the lack of better cooperation and international laws, the attack stayed undiscovered for more than 5 years.

5. What were the challenges in identifying such a long-term attack?

Of course, the hardest part is to put all the pieces of the puzzle together. When such an attack is discovered, amateurs perform a superficial analysis and move on.

Because of that, they might miss the bigger picture – for instance, in Red October we’ve discovered over 1000 modules which were used on the victims for advanced espionage purposes.

6. Given the high-profile nature of such attacks, could it be identified as to which security tools were in use and activated on the compromised systems (which failed to prevent the exploits from taking place)?

In general, we suspect that infected systems had either outdated antivirus software or no antivirus software at all.

This is because the exploits used in the attacks were known and are blocked by competent security suites.

Of course, it’s possible that unknown infection vectors were used (0-days), that we haven’t discovered yet.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.