View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 11, 2014

Red October APT returns as Cloud Atlas

Attacks on embassies launched from cloud command and control (C&C) server.

By Jimmy Nicholls

The cyber-espionage campaign Red October appears to have returned with redesigned tools to continue attacks on embassies, according to the security firm Kaspersky Lab.

Renamed Cloud Atlas, the threat mostly operates in Russia and Kazakhstan and shares compression algorithms, victims and a software compiling system with Red October, which was shut down in January 2013.

"When a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything," said Kaspersky. "They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces."

Cloud Atlas starts with a spear phishing campaign seeming to offer a diplomatic car for sale, as was the case with Red October, before dropping a malicious loader and payload onto victims’ machines.

It also makes use of what is described as "a rather unusual" command and control (C&C) mechanism, operating off of the storage service CloudMe, which was this week found to be being abused by another advanced persistent threat (APT) by the security company Blue Coat.

"Each malware set we have observed so far communicates with a different CloudMe account," Kaspersky added.

"The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism."

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

As with the campaign Blue Coat discovered, Kaspersky believed that any cloud storage service could be similarly exploited if it made use of the collaboration protocol WebDAV.

Data collected by Kaspersky also indicated that some of exactly the same victims of Red October were being hit by Cloud Atlas, with one victim having only been attacked twice in the last two years, once by each campaign.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.