'Shady Rat' Cyber-Spying Campaign Makes Everybody a Target

 
 
By Wayne Rash  |  Posted 2011-08-04
 
 
 

'Shady Rat' Cyber-Spying Campaign Makes Everybody a Target


The Aug. 3 report by McAfee security researchers that revealed the U.N., the United States government, multiple foreign governments and defense contractors were hit by a chilling, five-year cyber-spying campaign called Operation Shady Rat treads lightly on the question of who actually inspired the  attacks.

But like previously disclosed attacks, all the indications point to China as the probable source of these stealthy and persistent network penetrations, which, according to Dmitri Alperovitch, McAfee's vice president of Threat Research, were specifically targeted to reap petabytes of strategic industrial, financial, military and diplomatic intelligence. There's no telling how many sensitive U.S. state secrets or how much intellectual property was stolen in this cyber-spying campaign.

But in a press conference Aug. 3 at the Black Hat security conference in Las Vegas, Alperovitch noted that any theft of intellectual property could soon have repercussions on U.S. companies and workers.

It's conceivable that companies hit by this attack "may go out of business soon because an unscrupulous competitor is stealing their intellectual property and may soon be coming on the market with a cheaper technology," Alperovitch said.

Alperovitch also reports that the attacks were targeted to specific individuals in specific organizations who had the right level of access, and that these people were sent a phishing email that contained a link to malware that automatically installed itself on the victim's computer when the email was opened. The reason that Alperovitch was able to figure all of this out is that once the attacks were discovered, McAfee researchers gained access to a server controlling the operation. Then they were able to download the server activity logs.

But Alperovitch also notes that its possible there are many more  of these command-and-control servers dispersed on the Internet universe that were used to penetrate the networks of perhaps thousands of other corporations or government agencies around the world.

It's important to note that Alperovitch does not specifically name China as the perpetrator, although the ability to gain access to the server logs means that he and his team most likely know who is the true perpetrator. It appears that Alperovitch is simply not making that information public, just as he's not making known which U.S. and international agencies were targeted.

But the parts that he does make public clearly point the finger at China. As eWEEK's Fahmida Rashid's news story states, other security experts are saying China is the likely culprit based on the evidence. This is not the first time that China has been fingered as a cyber-warfare attacker. U.S. cyber warfare experts have even tracked the attacks as originating from a single building in Jinan, China.

But perhaps the most chilling part of Alperovitch's report is the manner in which the attacks happened. Specifically, the attackers sent an email to a specific individual in a company, agency or organization who had the necessary access. Opening that email provided the opening the cyber-spies needed and live operators then performed the necessary permission changes, file access and downloads.

This raises the question of how the attackers knew which specific people to target. Is there a parallel cyber-warfare operation in place that identifies the proper people? Is there an intelligence operation that identifies companies?

Everyone Must Take Responsibility for Network Security



The fact is that as chilling as Alperovitch's report may be, it doesn't tell the whole story. While the victims of many of these attacks eventually found and remedied the malware intrusions, little has been revealed about this publicly. No general alarm was apparently raised in the halls of government or industry at least before McAfee discovered the command-and-control server. One of the primary purposes of the report was to make public the breadth and depth of this single set of related attacks.

What's perhaps the scariest part of this whole situation is people targeted people in this attack all enabled it by doing one of the things they should be teaching the employees in their companies never to do. They opened a suspicious email to give the malware access to their computers. It's hard to overstate how important it is to instill the proper level of suspicion into employees. Surely by now the amount of damage that's been caused and the amount of loss that's been incurred by careless actions on the part of employees sould motivate companies and agencies to train their employees not to do this.

Perhaps an equally scary revelation is these attacks all happened to unpatched Windows-based computers. In other words, the attacks were enabled through exploits that could have been prevented simply by updating Windows and the installed Windows security software.

None of these preventative steps is expensive or even difficult. Updating Windows is free. Updating security software is free, except for the annual subscription. Taking care of both these tasks isn't hard. In most cases it's automatic.

Training your employees isn't free, but it's not hard or expensive. Neither is managing the right level of access to your network. You can't have a secure network if everyone is a system administrator, even on their own machine. And while it does take an investment in time and money buy the right enterprise security software, the right firewalls, and the right encryption tools, that investment is relatively low compared to the risk of losing your most precious information.

Ask yourself whether you want to be the cyber-patsy chosen by the agents of a distant foreign government who want  to steal your organization's most strategic information. But that's exactly what you will be if you happen to be the weakest link in your organization's security cordon with an unpatched PC and a lame password that provides easy entry to the network with the right level of access. Then all they have to do is send you a cleverly disguised spear-phishing email that with your single mouse click opens the back door to your employer's data riches.

As an alternative, think about whether you or your company take security seriously. Do you actively train your employees about the dangers of email? Do you ensure that your computers at all levels are kept updated? Have you made sure that your security software is in place, properly configured and updated? A quick look around any office is almost certain to reveal at least one computer running an unpatched version of Windows XP. That alone could open the door to a massive security hole that could give away all that your company has worked to achieve.

Rocket Fuel