Five Years of Cyberattacks Against 14 Countries: Operation Shady RAT

In mid-July it was announced that the Pentagon considers cyberspace an operational theater. Now, experts at security firm McAfee have detailed a five-year-long series of cyber attacks they have dubbed "Operation Shady RAT," in a paper released Wednesday.

In this case, RAT isn't about a rodent. RAT is a common acronym in the industry which stands for Remote Access Tool, software that is used by hackers and security experts to access computer networks remotely.

The report listed 72 targets, covering companies and organizations in 14 countries. Many more targets, McAfee said, were present in the logs, but without sufficient information to identify them.

The earliest attacks date back to mid-2006, making the timespan of the tax five years. Among the victims include several governments, including the United States, Taiwan, India, South Korea, Vietnam and Canada; as well as organizations such as the United Nations; the International Olympic Committee (IOC); the Association of Southeast Asian Nations (ASEAN); the World Anti-Doping Agency; and an host of companies, including defense contractors and high-tech companies.

There are obvious suspects in the attacks, but McAfee didn't name names. It did say it believed the attacks to be due to a single group acting on the behalf of a single government. Jim Lewis, an expert with the Center for Strategic and International Studies, told Reuters that "Everything points to China. It could be the Russians, but there is more that points to China than Russia."

In its research, McAfee gained access to one specific Command & Control server used by the hackers, and examined logs from the system. It determined that the hackers infected computers by first sending targeted emails to individuals in the companies or organizations. Once again, the weak link in security were human beings.

The spear-phishing emails contained an exploit that, if executed on an unpatched system, would trigger a download of malware that would communicate with a command-and-control server. Spear-phishing, or targeted email phishing using social engineering, has become a popular way to infect systems, especially in organizations.

Attacks have escalated in numbers significantly since they first began in Shady RAT. In 2006, eight organizations were attacked, in 2007 that number jumped to 29, rising still further to 36 in 2008, with a peak of 38 in 2009. The number fell after that, but McAfee felt it wasn't for lack of trying, but rather "likely due to the widespread availability of the countermeasures for the specific intrusion indicators used by this specific actor."

McAfee's vice president of threat research, Dmitri Alperovitch, wrote the following in a 14-page report released on Wednesday,
What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.

The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks. The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.
The attacks lasted from as short as less than a month to as long as 28 months in the case of an attack on the Olympic committee of a unnamed nation in Asia.
Tags:  McAfee, Pentagon, Hackers