LAS VEGAS-While McAfee identified 72 organizations hit by Operation Shady RAT, researchers believe it’s possible “thousands” more organizations or individuals have been attacked.
McAfee has been aware of the attacks since 2009 but did not know the actual scope of the attacks until this March when researchers found a command-and-control server used to launch and manage the operation, Dmitri Alperovitch, vice president of threat research at McAfee, told reporters Aug. 3 at a press conference. McAfee analysis indicates the Shady RAT system dates as far back as 2006.
It’s likely that there were more C&C servers commanding the operation other than the one McAfee uncovered, but it was impossible to say, Alperovitch said. The existence of other C&C servers would mean there were far more victims than the 72 McAfee identified in the report.
“I think it’s fair to assume, that if you look at the totality of activity that’s occurring, it’s in the thousands of targets,” Alperovitch said.
McAfee said targeted companies came from all industries, including government, defense, energy, electronics, media, real estate, agriculture and construction. The governments hit included the U.S., Canada, South Korea, Vietnam, Taiwan and India.
McAfee found that targets were identified in the C&C server log by IP address. In many cases, those addresses happened to be the public addresses for a corporate firewall or gateway. McAfee detected other target IP addresses that it couldn’t identify, Alperovitch said. Those addresses could belong to an unknown company, or be individual employees working at home or traveling.
Alperovitch said he had already briefed senior White House officials, government agencies in the U.S. and other countries, and U.S. congressional staff. The company directly notified the victims it had identified, but declined to name them in the report unless it had permission to do so. The United Nations was named in the report because it was impossible to describe it without identifying it, according to Alperovitch. McAfee was also working with U.S. law enforcement agencies on the investigation, including shutting down the C&C server.
The C&C server that McAfee had access to was located in a “Western” country, Alperovitch said. He did not say whether it was a compromised machine commandeered into becoming a C&C server or if it was an original, dedicated system. Although the McAfee report said that a nation-state was likely backing the operation, Alperovitch declined to speculate on which nation-state it could be. “We’re not in the business of attribution,” he said.
In terms of impact, the unknown cyber-assailants did not launch a “Pearl Harbor-type” attack on the United States, Alperovitch said. The attack was more like a “death by a thousand cuts,” he said.
The McAfee report did not specify what information had been stolen, or even what kind, but Alperovitch said the amount added up to several petabytes. Companies were initially targeted by a phishing email, and employees saw an email they thought was a legitimate message from someone they knew or within the organization. When they opened the attachment or clicked on the link in the message, malware was downloaded. This part of the campaign was automated, with thousands of these phishing emails blindly sent out to unsuspecting users.
Once employees fell for the trick and downloaded malware, “live intruders would access the system” and escalate user privileges to be able to access other systems in the organization, compromise other machines and steal data.
While there may be national security implications from the government intrusions, the attacks would have bigger repercussions on the overall economy and on the average American worker. “The company that he or she may be working for may go out of business soon because an unscrupulous competitor is stealing their intellectual property and may soon be coming on the market with a cheaper technology because they’ve stolen all your R&D,” Alperovitch said.