The cyber-espionage campaign Red October appears to have returned with redesigned tools to continue attacks on embassies, according to the security firm Kaspersky Lab.
Renamed Cloud Atlas, the threat mostly operates in Russia and Kazakhstan and shares compression algorithms, victims and a software compiling system with Red October, which was shut down in January 2013.
"When a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything," said Kaspersky. "They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces."
Cloud Atlas starts with a spear phishing campaign seeming to offer a diplomatic car for sale, as was the case with Red October, before dropping a malicious loader and payload onto victims’ machines.
It also makes use of what is described as "a rather unusual" command and control (C&C) mechanism, operating off of the storage service CloudMe, which was this week found to be being abused by another advanced persistent threat (APT) by the security company Blue Coat.
"Each malware set we have observed so far communicates with a different CloudMe account," Kaspersky added.
"The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism."
As with the campaign Blue Coat discovered, Kaspersky believed that any cloud storage service could be similarly exploited if it made use of the collaboration protocol WebDAV.
Data collected by Kaspersky also indicated that some of exactly the same victims of Red October were being hit by Cloud Atlas, with one victim having only been attacked twice in the last two years, once by each campaign.
