Posted on 03 Aug 2011
Internet security and anti-virus firm McAfee, Inc. published a stunning report yesterday outlining Operation Shady RAT, a massive cyber attack which compromised 72 sensitive computer networks, 49 of them in the United States. Twenty-two of the networks belonged to government agencies, including fourteen federal, state, and local government systems in the U.S. Thirteen of the attacks were defense contractors.
The operation has been in progress since at least 2006, resulting in the theft of an incredible amount of valuable and sensitive data. McAfee Vice President of Threat Research Dmitri Alperovitch, author of the Shady RAT report, sums up the damage from what he describes as “a significant national security threat” the public has “largely minimal” awareness of:
"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.
"What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information."
Most of the attacks were carried out with malware-tainted emails, which included links that would open a system to access by hackers when the email recipients clicked on them.
Operation Shady RAT was eventually traced to a single “command and control” server, which was discovered while it was coordinating raids on defense contractors in 2009. Harvesting activity logs from this server helped McAfee to determine the true scope of the operation, and compile lists of the victims, whose exact identities remain confidential.
Alperovitch says the perpetrator was a “state actor,” since massive resources were required to coordinate the operation, and some of the targets had no commercial benefit. He would not formally designate the “state actor” he has in mind, but evidence points to China. The non-commercial target list included all sorts of organizations China has an interest in, or does not like, including the Association of Southeast Asian Nations, the International Olympic Committee, Olympic committees in various Asian nations, the World Anti-Doping Agency, and the United Nations.
A swarm of attacks occurred around the time of the 2008 Olympic games in Beijing. The top 5 targeted nations were the United States, Canada, South Korea, Taiwan, and Japan. The U.S. was number one by a very wide margin.