Massive, Widespread Cyberespionage Campaign Uncovers a RAT

August 3, 2011
By Max Cacas, SIGNAL Online Exclusive

Security firm analysis suggests a nation behind the effort.

A large cyberespionage campaign has been ongoing for five or more years, with its targets ranging from private companies to nations. Commercial cybersecurity experts say all the evidence so far points to a “state player” as the source of the attack, and they have located server logs outlining the extent of the attack.

The plot has been revealed by cybersecurity firm McAfee in a report titled “Revealed: Operation Shady RAT.” The “RAT” stands for “remote access tool,” and describes an operation that has been underway since at least 2006, according to the author of the report, Dmitri Alperovitch.

“We’ve identified at least 70 of the victims that have been impacted by it, but the actual number is probably up in the thousands,” says Alperovitch, McAfee’s vice president of threat research.

“The staggering thing is that it’s every sector of the economy that’s been impacted,” he relates. “Its not just defense, its not just governments—its everything from real estate, construction, heavy industry, electronics, satellite communications, energy, solar power, you name it.”

He says that McAfee researchers first discovered the “command and control” server behind the attacks in 2009 while investigating cyberattacks against defense contractors. Earlier this year, they went back to that server and discovered log files that detailed all the attacks.

The majority of the known attacks targeted entities in the United States, and they range from federal agencies (which are not specifically named in the report), private companies, local and state governments and large defense contractors. The attacks, however, also targeted the United Nations, a technology company owned by the government of Vietnam, the International Olympic Committee, and the World Doping Agency. The last two attacks took place around the time of the 2008 Olympic Winter Games in Vancouver.

Alperovitch says he and his investigators were “quite fortunate” to find the server logs detailing the cyberattacks, some of which continued against entities such as a U.S. satellite communications company for more than two years. An unnamed U.S. news organization is reported to have been attacked at its New York headquarters for eight months and at its Hong Kong bureau for as long as 21 months.

The McAfee report says that the attacks began when targeted individuals within organizations clicked open spear-phishing emails containing malware that downloaded software into the infected network and its servers; this enabled the “command and control” server to take control, and begin harvesting data meeting the criteria for which it has been programmed.

As for the fate of the data that was taken, the report says, “What is happening to all this data—by now reaching petabytes as a whole—is still largely an open question.”

Asked to assess the preparedness for such a cyberattack on the part of the companies and organizations involved, Alperovitch demurred, saying he is reluctant to “blame the victim.”

“We’re facing a threat actor, so we should not be blaming the victim, we should be blaming the adversary,” he explains. “We have a threat actor who is determined to hack into every sector of our economies and national security apparatus and steal what it can. They [the hackers] are well-financed, they’re well-orchestrated, and they conducted this operation with a great deal of preparedness. When you face an adversary like that, which is believed to be a nation-state, its difficult to defend against.”

Alperovitch says the command and control server behind the attacks is still in operation at last report, but it has been reported to law enforcement. He refused to specifically name the agencies involved but would say only that both “international and American law enforcement” agencies currently are involved in the ongoing investigation.

The McAfee white paper concludes, “What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has ‘fallen off the truck’ of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.”



McAfee White Paper – “Revealed: Operation Shady RAT”



Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.