January 21, 2013

The Hunt for Red October

Ran Mosessco Principal Security Researcher

“Red October” in the title of Tom Clancy’s bestselling novel referred to a Soviet submarine whose silent propulsion system made it undetectable to sonar. It’s a fitting name for the sophisticated cyber-espionage network that has recently been identified after collecting high-level data from governments, embassies and diplomatic networks, energy companies, and other sensitive systems for at least five years.

Red October begins as a series of spear phishing attacks with highly personalized emails for specific targets.  These emails include both malicious and "clean" Microsoft® Office attachments, and the attack proceeds as follows:

•    The unsuspecting user receives an email with an attached Microsoft Office file and opens the file.
•    The exploit drops and launches two files: a clean Microsoft Word or Microsoft Excel file and a malicious .EXE. 
•    Microsoft Word or Microsoft Excel then crashes and exits while the malicious .EXE launches along with the clean document, so the user sees nothing amiss, as shown in these examples:

Java is another attack vector in the spear phishing campaign.  As with the Office based attack described above, Red October sends a spear phish email containing a link that loads a malicious Java applet when opened.

All known related C&C IPs and domains associated with the Red October attack are classified as “Bot Networks”. Websense® ThreatScope™ helps protect our customers by identifying all of the embedded files as Malicious, as shown in the following reports:

ThreatScope Report on Dropped File 1

ThreatScope Report on Dropped File 2

ThreatScope Report on Dropped File 3


The following CVE are reported to have been used as part of the Red October spear phishing attacks:

CVE-2009-3129 Excel

CVE-2010-3333 Word

CVE-2012-0158 Word

CVE-2011-3544 Java


Targeted attacks like Red October lower a victim's guard by appealing to his or her interests.  This social engineering aspect is what makes such attacks so successful. Therefore, it's essential to remain vigilant when opening emails with attachment or links, especially if they are unsolicited.  


Websense customers are protected by Websense ACE (Advanced Classification Engine), and we will continue to monitor this and other evolving security threats.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.