The news that at least 72 government agencies, corporations and political organizations based all over the world have been targeted (and compromised) for over five years by what seems to be a single and likely state-sponsored group has resounded like a bomb blast all over the Internet.
Analyzed in great detail in a report made public by McAfee, the operation – dubbed “Shady RAT” after the acronym for Remote Access Tool – has resulted in a “historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more.”
It is amazing what information can be collected from a single Command & Control server used by the attackers. With logs running all the way back to 2006, McAfee researchers where able to discover the targets and follow the timelines of the intrusions, which resulted in the disturbing revelation.
McAfee has notified all of these organizations of their findings, and says that some have been unaware of the intrusion into their networks until now.
Among the targets were government organizations and departments in the US, Canada, South Korea, Vietnam, Taiwan and India; the UN; defense contractors, IT and computer security firms, news and energy industry corporations, communication technology and insurance firms, sports and trade organizations, political non-profit organizations and think tanks from all over the world (but the great majority from the US).
“The compromises themselves were standard procedure for these types of targeted intrusions,” explains Dmitri Alperovitch, McAfee’s VP of Threat Research. “A spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware.”
Once the backdoor into the system is instated and communication with a C&C server is established, the attackers access the infected machine, negotiate a privilege escalation, set up additional footholds in the network by implanting malware in other machines, and begin to exfiltrate the data.
So, who is behind these attacks?
“The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks,” says Alperovitch.
“The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.”
McAfee has been very careful not to point any fingers, but given that Chinese targets are conspicuously missing from the list, speculations about their involvement are sure to spring up – especially since every compromise of government networks discovered in the last half-year or so was accompanied with such theories.
In the end, advising caution, Alperovitch warns that this was just one specific operation carried out by a single group, and that there are many, many more targeted intrusions by other actors happening daily.
“I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” he admits.