Massive Five-Year Cyber-Attack Hit UN, US Government, Defense Contractors

McAfee researchers believe that a five-year hacking campaign against government agencies, corporations and other high-profile organizations around the world was the work of a "single actor" likely directed by a nation-state.

Hackers penetrated the United Nations, technology companies, defense contractors as well as the United States and foreign government networks as part of a massive five-year cyber-spying campaign, according to a stunning report by McAfee researchers.

Dubbed "Operation Shady RAT," the attackers penetrated 72 target networks since July 2006, McAfee disclosed on Aug.3. Government agencies in the U.S., India, South Korea and Taiwan were attacked, as well as high-profile global organizations such as the International Olympic Committee, McAfee said. Companies in Canada, Denmark, Germany, Indonesia, Singapore, South Korea, and Vietnam were also affected.

Despite the scope and duration, McAfee researchers are confident Shady RAT was the work of " a single actor/group," Dmitri Alperovitch, McAfee's vice president of threat research, wrote in the report.

Hackers tunneled into security systems and in many cases managed to lurk in networks undiscovered for more than two years, according to McAfee. Data was stolen from U.S. military systems, satellite communications, electronics and natural gas companies. The researchers believed the pattern of attack against Olympics committees and companies from the U.S., Taiwan and South Korea indicated a nation-state involvement.

"The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks," Alperovitch wrote.

Although Alperovitch didn't name China as the likely perpetrator, Graham Cluley, a security consultant with security technology firm Sophos, noted that just about every time a big cyber-espionage operation is discovered, fingers are immediately pointed to China.

"I don't think we should be naive. I'm sure China does use the Internet to spy on other countries. But I'm equally sure that just about every country around the world is using the Internet to spy," Cluley said, noting that it's not very hard and "certainly cost effective."

Researchers gained access to a command-and-control server used by Shady RAT and accessed the logs to determine the scope of the campaign. The operation relied primarily on spear-phishing tactics to take control of the recipient's machine and then move through the network, the report said. Once the recipient fell for the phish, malware was downloaded to the machine to enable it to communicate with the C&C server. The infected system gave attackers the starting point to move elsewhere through the network and compromise other machines.

The goal didn't appear to be financial information or user names and passwords, but competitive intelligence that could be used by a government, McAfee said. In some cases, companies later detected the advanced persistent threat and blocked the attack but were unaware of the extent of the damage already caused.

The McAfee report did not specify whether researchers were able to differentiate if it was a junior employee's computer that was compromised or a machine belonging to a senior executive or government official. "The seriousness of the two security breaches would be very different," Cluley said.

McAfee did not name the compromised agencies, but said four U.S. government agencies, 12 U.S. defense contractors, four U.S. state and county governments in California and Nevada were among the victims. Other targets included a media company, think tanks, nonprofits, and electronics and solar power companies.

"We're facing a massive transfer of wealth in the form of intellectual property that is unprecedented in history," Alperovitch said, also writing in the report that: "If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat."

Regardless of the attacks' origin, the scope of this cyber-spying campaign meant individual companies and industries were suddenly facing a more challenging landscape against "unscrupulous competitors in another part of the world," Alperovitch wrote. There was also a "national security impact of the loss of sensitive intelligence or defense information," he said.

Cluley also cautioned against calling Shady RAT the biggest cyber-attack because the report did not make clear what information was stolen from the victims and how many computers were compromised at each organization. Last week, cyber-attackers looted the personal information of 35 million users on a South Korean social-networking site, according to Cluley.

"It's hard to compare 35 million victims in South Korea (where we know what information was lost) with the 72 companies McAfee details in its report (where we don't know what information was stolen), and say one was more important than the other," Cluley said.