McAfee researchers believe that a five-year hacking campaign against government agencies, corporations and other high-profile organizations around the world was the work of a "single actor" likely directed by a nation-state.
Hackers penetrated the
United Nations, technology companies, defense contractors as well as the United
States and foreign government networks as part of a massive five-year
cyber-spying campaign, according to a stunning report by McAfee researchers.
," the attackers penetrated 72 target networks since July
2006, McAfee disclosed on Aug.3. Government agencies in the U.S., India, South
Korea and Taiwan were attacked, as well as high-profile global
organizations such as the International Olympic Committee, McAfee said.
Companies in Canada, Denmark, Germany, Indonesia, Singapore, South Korea, and
Vietnam were also affected.
Despite the scope and
duration, McAfee researchers are confident Shady RAT was the work of " a
single actor/group," Dmitri Alperovitch, McAfee's vice president of threat
research, wrote in the report.
Hackers tunneled into
security systems and in many cases managed to lurk in networks undiscovered for
more than two years, according to McAfee. Data was stolen from U.S. military
systems, satellite communications, electronics and natural gas companies. The
researchers believed the pattern of attack against Olympics committees and
companies from the U.S., Taiwan and South Korea indicated a nation-state
"The interest in the
information held at the Asian and Western national Olympic Committees, as well
as the International Olympic Committee (IOC) and the World Anti-Doping Agency
in the lead-up and immediate follow-up to the 2008 Olympics was particularly
intriguing and potentially pointed a finger at a state actor behind the
intrusions, because there is likely no commercial benefit to be earned from
such hacks," Alperovitch wrote.
Although Alperovitch didn't
name China as the likely perpetrator, Graham Cluley, a security consultant with
security technology firm Sophos, noted that just about every time a big
cyber-espionage operation is discovered, fingers are immediately pointed to China.
"I don't think we
should be naive. I'm sure China does use the Internet to spy on other
countries. But I'm equally sure that just about every country around the world
is using the Internet to spy," Cluley said, noting that it's not very hard
and "certainly cost effective."
Researchers gained access to
a command-and-control server used by Shady RAT and accessed the logs to
determine the scope of the campaign. The operation relied primarily on
spear-phishing tactics to take control of the recipient's machine and then move
through the network, the report said. Once the recipient fell for the phish,
malware was downloaded to the machine to enable it to communicate with the
C&C server. The infected system gave attackers the starting point to move
elsewhere through the network and compromise other machines.
The goal didn't appear to be
financial information or user names and passwords, but competitive intelligence
that could be used by a government, McAfee said. In some cases, companies later
detected the advanced persistent threat and blocked the attack but were unaware
of the extent of the damage already caused.
The McAfee report did not
specify whether researchers were able to differentiate if it was a junior
employee's computer that was compromised or a machine belonging to a senior
executive or government official. "The seriousness of the two security
breaches would be very different," Cluley said.
McAfee did not name the
compromised agencies, but said four U.S. government agencies, 12 U.S. defense
contractors, four U.S. state and county governments in California and Nevada
were among the victims. Other targets included a media company, think tanks,
nonprofits, and electronics and solar power companies.
"We're facing a massive
transfer of wealth in the form of intellectual property that is unprecedented
in history," Alperovitch said, also writing in the report that: "If
even a fraction of it is used to build better competing products or beat a
competitor at a key negotiation (due to having stolen the other team's
playbook), the loss represents a massive economic threat."
Regardless of the attacks'
origin, the scope of this cyber-spying campaign meant individual companies and
industries were suddenly facing a more challenging landscape against
"unscrupulous competitors in another part of the world," Alperovitch
wrote. There was also a "national security impact of the loss of sensitive
intelligence or defense information," he said.
Cluley also cautioned
against calling Shady RAT the biggest cyber-attack because the report did not
make clear what information was stolen from the victims and how many computers
were compromised at each organization. Last week, cyber-attackers looted the
personal information of 35 million users on a South Korean social-networking
site, according to Cluley.
"It's hard to compare
35 million victims in South Korea (where we know what information was lost)
with the 72 companies McAfee details in its report (where we don't know what
information was stolen), and say one was more important than the other,"