'Shady Rat' Cyber-Spying Campaign Makes Everybody a Target

News Analysis: The discovery that massive amounts of data was stolen from the U.S. government, corporations and defense contractors in a pervasive five-year cyber-spying campaign likely initiated by China shows that everyone is potentially the weakest link in the corporate security chain.

The Aug. 3 report by McAfee security researchers that revealed the U.N., the United States government, multiple foreign governments and defense contractors were hit by a chilling, five-year cyber-spying campaign called Operation Shady Rat treads lightly on the question of who actually inspired the  attacks.

But like previously disclosed attacks, all the indications point to China as the probable source of these stealthy and persistent network penetrations, which, according to Dmitri Alperovitch, McAfee's vice president of Threat Research, were specifically targeted to reap petabytes of strategic industrial, financial, military and diplomatic intelligence. There's no telling how many sensitive U.S. state secrets or how much intellectual property was stolen in this cyber-spying campaign.

But in a press conference Aug. 3 at the Black Hat security conference in Las Vegas, Alperovitch noted that any theft of intellectual property could soon have repercussions on U.S. companies and workers.

It's conceivable that companies hit by this attack "may go out of business soon because an unscrupulous competitor is stealing their intellectual property and may soon be coming on the market with a cheaper technology," Alperovitch said.

Alperovitch also reports that the attacks were targeted to specific individuals in specific organizations who had the right level of access, and that these people were sent a phishing email that contained a link to malware that automatically installed itself on the victim's computer when the email was opened. The reason that Alperovitch was able to figure all of this out is that once the attacks were discovered, McAfee researchers gained access to a server controlling the operation. Then they were able to download the server activity logs.

But Alperovitch also notes that its possible there are many more  of these command-and-control servers dispersed on the Internet universe that were used to penetrate the networks of perhaps thousands of other corporations or government agencies around the world.

It's important to note that Alperovitch does not specifically name China as the perpetrator, although the ability to gain access to the server logs means that he and his team most likely know who is the true perpetrator. It appears that Alperovitch is simply not making that information public, just as he's not making known which U.S. and international agencies were targeted.

But the parts that he does make public clearly point the finger at China. As eWEEK's Fahmida Rashid's news story states, other security experts are saying China is the likely culprit based on the evidence. This is not the first time that China has been fingered as a cyber-warfare attacker. U.S. cyber warfare experts have even tracked the attacks as originating from a single building in Jinan, China.

But perhaps the most chilling part of Alperovitch's report is the manner in which the attacks happened. Specifically, the attackers sent an email to a specific individual in a company, agency or organization who had the necessary access. Opening that email provided the opening the cyber-spies needed and live operators then performed the necessary permission changes, file access and downloads.

This raises the question of how the attackers knew which specific people to target. Is there a parallel cyber-warfare operation in place that identifies the proper people? Is there an intelligence operation that identifies companies?