McAfee Reveals Operation Shady RAT
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised.” - Dmitri Alperovitch, McAfee
Late Tuesday night, Dmitri Alperovitch, VP Threat Research at McAfee, revealed the discoveries of an incredibly interesting investigation of targeted intrusions into 70+ global companies, governments and non-profit organizations that took place over the last 5 years. What’s interesting, is that Alperovitch is confident the intrusions had been one conducted by a single actor or group.
In a well-timed release to coincide with the Black Hat Conference taking place in Las Vegas this week, McAfee is looking raising the level of public awareness by publishing what it says is the most comprehensive analysis ever revealed of victim profiles from a five year targeted operation by one specific actor. Alperovitch named the operation “Operation Shady RAT”, with RAT being an acronym that stands for Remote Access Tool.
In describing the operation, Alperovitch, suggested that we have seen “a historically unprecedented transfer of wealth.” But he’s not referring to money, but instead, the digital assets and data that contain much of what fuels industries and sustains a nation’s economy. “What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries,” Alperovitch notes.
What’s disturbing, is how detrimental losing such massive amounts of sensitive data can be to our national economy. According to Alperovitch, “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries.”
How Was Operation Shady RAT Uncovered?
McAfee gained access to logs on a Command & Control server used by the intruders, and were able to discover the full extent of compromised victims since mid-2006 when logs date back to.
According to the report, the compromises were standard procedure for these types of targeted intrusions: a targeted email (spear-phishing attack) containing an exploit directed to an individual with the required level of access at an organization, and the exploit when opened on an unpatched system will trigger a download of the implant malware. This is exactly how RSA was breached back in March.
The report doesn’t explicitly identify most of the victims, instead describing their general industry, nor does it name who the adversary is. Fair enough to say, most believe that China is behind it all. It’s not secret that China has assembled significant cyber intelligence capabilities and continues to invest and probe the world.
In July 2010, a report from Medius Research said that China is directing “the single largest, most intensive foreign intelligence gathering effort since the Cold War” against the United States. While the Medius report suggested no evidence of a smoking gun that could conclusively accuse the Chinese government of cyber espionage, the report’s lead investigator Richard Parker stated, “I believe it’s there, and I believe it’s classified.” That same (Medius Research) report showed there is a substantial body of circumstantial evidence:
• Intelligence gathering “is a core mission of the People’s Liberation Army (PLA).” This is substantiated by numerous PLA documents, including one that described “seizing control of an adversary’s information flow as a prerequisite to air and naval superiority.”
• China is investing in the resources needed for “building an informationalized force and winning an informationalized war,” including a 1,100 person cyber operation with a submarine cave entrance worthy of a James Bond film, all hidden beneath the white sands and villages of Hainan Island, a popular tourist destination.
What Organizations Were Attacked and Breached?
Alperovitch said that even McAfee was surprised by the “enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators.”
In all, McAfee identified 72 compromised parties, and said many more were present in the logs but without sufficient information to positively identify them. The victims spam across multiple industries and governments, and even an Olympic Committee of a nation in Asia. A breakdown provided by McAfee is below:
“Virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm,” Alperovitch said. He believes the intrusions are so vast, that virtually every large company has fallen victim to some degree. “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” Alperovitch concluded.
The full report (I classify this as required reading) is available here.