News Analysis: The discovery that massive amounts of data was stolen from the U.S. government, corporations and defense contractors in a pervasive five-year cyber-spying campaign likely initiated by China shows that everyone is potentially the weakest link in the corporate security chain.
The Aug. 3 report by McAfee security researchers that revealed the
U.N., the United States government, multiple foreign governments and
defense contractors were hit by a chilling, five-year cyber-spying
campaign called Operation Shady Rat
treads lightly on the question of who actually inspired the attacks.
But like previously disclosed attacks
all the indications point to China as the probable source of these
stealthy and persistent network penetrations, which, according to Dmitri
Alperovitch, McAfee's vice president of Threat Research, were
specifically targeted to reap petabytes of strategic industrial,
financial, military and diplomatic intelligence. There's no telling how
many sensitive U.S. state secrets or how much intellectual property was
stolen in this cyber-spying campaign
But in a press conference Aug. 3 at the Black Hat security conference
in Las Vegas, Alperovitch noted that any theft of intellectual
property could soon have repercussions
on U.S. companies and workers.
It's conceivable that companies hit by this attack "may go out of
business soon because an unscrupulous competitor is stealing their
intellectual property and may soon be coming on the market with a
cheaper technology," Alperovitch said.
Alperovitch also reports that the attacks were targeted to specific
individuals in specific organizations who had the right level of
access, and that these people were sent a phishing email that
contained a link to malware that automatically installed itself on the
victim's computer when the email was opened. The reason that
Alperovitch was able to figure all of this out is that once the attacks
were discovered, McAfee researchers gained access to a server
controlling the operation. Then they were able to download the
server activity logs.
But Alperovitch also notes that its possible there are many more
of these command-and-control servers dispersed on the Internet
universe that were used to penetrate the networks of perhaps thousands
of other corporations or government agencies around the world.
It's important to note that Alperovitch does not specifically name
China as the perpetrator, although the ability to gain access to the
server logs means that he and his team most likely know who is the true
perpetrator. It appears that Alperovitch is simply not making that
information public, just as he's not making known which U.S. and
international agencies were targeted.
But the parts that he does make public clearly point the finger at
China. As eWEEK's Fahmida Rashid's news story states, other security
experts are saying China is the likely culprit based on the evidence. This is not the first time that China has been fingered
as a cyber-warfare attacker. U.S. cyber warfare experts have even
tracked the attacks as originating from a single building in Jinan,
But perhaps the most chilling part of Alperovitch's report is the
manner in which the attacks happened. Specifically, the attackers sent
an email to a specific individual in a company, agency or organization
who had the necessary access. Opening that email provided the opening
the cyber-spies needed and live operators then performed the necessary
permission changes, file access and downloads.
This raises the question of how the attackers knew which specific
people to target. Is there a parallel cyber-warfare operation in place
that identifies the proper people? Is there an intelligence
operation that identifies companies?