The Spread of “Red October:” A Kremlin counter-intelligence virus?

The “Red October” scandal serves to expedite post-Soviet imperial re-integration. Official Moscow media has amplified primarily the computer infection in Russia, Kazakhstan, Azerbaijan, Turkmenistan, and Armenia, which also engenders a psychosis of solidarity in fear among the victims of the virus.

By Marek Jan Chodakiewicz | February 5, 2013

The Spread of Red October
Graphic: The Spread of Red October/Spiegel International

This just in from Kaspersky Lab: Over 300 computers in 39 countries, most notably Russia, were infected with a spy virus dubbed “Red October,” the month of its discovery last year. The detection coincided with the Kremlin’s on-going campaign to tighten control over the Russians, including cyberspace.

The virus appeared in 2007 and operated undetected until the end of 2012. The maleware is more sophisticated than the Flame virus that the U.S. and Israel had used to penetrate Iran’s nuclear industry computers. According to Dan Goodin (, the virus spread through phishing. Each penetrated machine was first profiled and targeted with modules, which carried out individual reconnaissance operations of the computer to tackle it most optimally. The virus was borne via unsolicited email messages with an attachment which, when downloaded, would infect the system. But “Red October” was so well camouflaged that it passed undetected through all firewalls. It would then cling to Adobe Acrobat and Microsoft Word which guaranteed that it would be able to reinstall itself at their relaunching even after a most thorough sweep with the best anti-malware protection programs. Once embedded, “Red October” took over the command-and-control system and siphoned off “hundreds of tetrabytes” of data to its cyberspy master.

The infiltrators hid successfully under false domain names, some of them anonymous, others commandeered. Sixty proxy cyberpenetration cells were set up mostly on servers in Germany and Russia. Only between October 2012 and January 2013, following the discovery of the virus, at least 50,000 penetration operations took place utilizing over 250 hijacked IP addresses. It is estimated that “hundreds of tetrabytes” of data were stolen over 5 years. It is unclear what was stolen, however. On source mentions “geopolitical” information. One thing is obvious: it was a spy operation par excellance.

What does this all mean? Amplifying the “Red October” penetration can be self-promotion by the Kaspersky Lab. “Have a virus? We’ll fix it!” On the other hand, the company is one of the principal purveyors of computer security in the world, including Russia. However, a cyber penetration which escaped undetected for 5 years certainly does not look neat on the Kaspersky Lab’s resume. It can also have serious implications for the firm’s future contracts: most computers attacked belonged to the Russian state, including its diplomatic missions.

The Kremlin banged its fist immediately. On January 16, 2013, President Vladimir Putin signed a decree about protecting state computers. According to Reuters, Moscow’s secret police, FSB, was ordered to “create a state system for the detection, prevention and liquidation of the effects of computer attacks on the information resources of the Russian Federation.” The question is: was Putin reactive or pro-active?

Like in most places, Russia’s cyber laws are in their infancy. An intrusion warrants legal countermeasures, of course. However, the presidential computer security decree should be viewed in the broader context of Putin’s drive to limit freedom in Russia. First, the law strengthens the FSB by increasing its jurisdiction and scope of action, empowering it firmly to act also in cyberspace. Second, the order undermines the last bastion of free speech: censorship is at its lightest still in Russia’s relatively free-wheeling e-media and blogosphere. The authorities have long attempted to rein in the e-commentators, pundits, bloggers, and journalists. For example, an FSB delegation traveled to China late last year to learn the tricks of the cybercensor trade from their secret police comrades in Bejing.

Fairly widespread coverage about the “Red October” virus in Russia serves well the propaganda aimed at consolidating Putin’s power domestically. The propaganda, boosted by the presidential decree, helps maintain an atmosphere of fear and endangerment. State computers were hacked! What calamity will come next for Mother Russia? We need to be vigilant. Only Putin can save us. A spymania psychosis aids in mobilizing the supporters of the Kremlin against foreign agents and traitors, real and alleged. It also conveniently assists in the official offensive against the NGOs, which have just been officially delegalized, if they receive foreign grants.

Further, the presidential decree has obviously targeted Russia’s nascent middle class. Its computer literate members are the nation’s leading users of the internet. They also constitute a group most dissatisfied with the Kremlin. And now the FSB has yet another legal tool to bash them with. The intelligentsia has already been discouraged from mass participation in anti-Putin street demonstrations through steep fines, amounting to the equivalent of three monthly salaries. One can only imagine what penalties the Russians will be slapped with for “computer attacks on the information resources of the Russian Federation.” Does posting criticism of Putin on government web sites constitute “computer attacks?”

Moreover, the “Red October” scandal serves to expedite post-Soviet imperial re-integration. Official Moscow media has amplified primarily the computer infection in Russia, Kazakhstan, Azerbaijan, Turkmenistan, and Armenia. This also engenders a psychosis of solidarity in fear among the victims of the virus. Russia is apparently the chief among them but at least 39 other nations were likewise targeted, including the United States, India, Iran, Afghanistan, and Belgium. The Kremlin spokesman has refused to admit it, at least as of this writing. Common victimhood, real or alleged, usually translates into some kind of a sentiment of closeness, possibly even an alliance. In the case of the Russian Federation, it already has a number of institutional tools in place, including the Commonwealth of Independent States and a customs union with some of the post-Soviet successor states affected by the “Red October.” The virus may be yet another baby step in Moscow’s reintegration drive.

Given all of this, in a murky world of Putin’s undercover politics one cannot exclude the possibility that “Red October” was a provocation by the FSB. It may have been a counterintelligence operation to monitor Russia’s own diplomats and other civil servants. For example, once the virus was either detected or outlived its usefulness, the Kremlin’s propaganda machine milked the “discovery” of the penetration to conceal its origins and to strengthen domestic and external control. The malware was programmed by Russian-speakers who also employed some Chinese ingredients in their system. And it remained undetected for an unprecedented five years. This is highly unlikely given the customary level of Russia’s legendary counterintelligence measures.

If not Moscow, then who else could be responsible? Of the nation-states, the U.S. certainly has the resources. Israel has the talent: a legion of Russian-speaking former refuseniks and their progeny who are computer whizzes. Georgia and Estonia are on a short list, of course, both victims of cyberwar by the Kremlin a few years ago. Further, both have trained programmers very much at home with the Russian language. Estonia additionally is a Baltic tiger of new technologies: the home of Skype and other technologically advanced gadgets. But would Tibilisi and Talin pick on Moscow? Very unlikely. Let us not forget, for the record, the Russian opposition hackers supported by cyberanarchists worldwide. That would be the first suspect. Cyberpirates like Wikileaks prefer to pick on democratic opponents because others would probably send a hit squad to take care of the likes of Julian Assange.

At any rate, no suspect has officially been named. No matter. Putin has cracked down hard. And that was the main lesson of the Russian spy virus dubbed “Red October.”

Marek Jan Chodakiewicz is a Professor of History at the
Institute of World Politics
, A Graduate School of National Security and International Affairs in Washington, DC, where he also holds the Kościuszko Chair in Polish Studies. Professor Chodakiewicz is also a contributor to

SFPPR News & Analysis.