Security Experts:

Connect with us

Hi, what are you looking for?



Massive Series of Cyber Attacks Targeting 70+ Global Organizations Uncovered

McAfee Reveals Operation Shady RAT

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised.” – Dmitri Alperovitch, McAfee

McAfee Reveals Operation Shady RAT

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised.” – Dmitri Alperovitch, McAfee

Late Tuesday night, Dmitri Alperovitch, VP Threat Research at McAfee, revealed the discoveries of an incredibly interesting investigation of targeted intrusions into 70+ global companies, governments and non-profit organizations that took place over the last 5 years. What’s interesting, is that Alperovitch is confident the intrusions had been one conducted by a single actor or group.

In a well-timed release to coincide with the Black Hat Conference taking place in Las Vegas this week, McAfee is looking raising the level of public awareness by publishing what it says is the most comprehensive analysis ever revealed of victim profiles from a five year targeted operation by one specific actor. Alperovitch named the operation “Operation Shady RAT”, with RAT being an acronym that stands for Remote Access Tool.

In describing the operation, Alperovitch, suggested that we have seen “a historically unprecedented transfer of wealth.” But he’s not referring to money, but instead, the digital assets and data that contain much of what fuels industries and sustains a nation’s economy. “What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries,” Alperovitch notes.

What’s disturbing, is how detrimental losing such massive amounts of sensitive data can be to our national economy. According to Alperovitch, “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries.”

How Was Operation Shady RAT Uncovered?

McAfee gained access to logs on a Command & Control server used by the intruders, and were able to discover the full extent of compromised victims since mid-2006 when logs date back to.

According to the report, the compromises were standard procedure for these types of targeted intrusions: a targeted email (spear-phishing attack) containing an exploit directed to an individual with the required level of access at an organization, and the exploit when opened on an unpatched system will trigger a download of the implant malware. This is exactly how RSA was breached back in March.

The report doesn’t explicitly identify most of the victims, instead describing their general industry, nor does it name who the adversary is. Fair enough to say, most believe that China is behind it all. It’s not secret that China has assembled significant cyber intelligence capabilities and continues to invest and probe the world.

In July 2010, a report from Medius Research said that China is directing “the single largest, most intensive foreign intelligence gathering effort since the Cold War” against the United States. While the Medius report suggested no evidence of a smoking gun that could conclusively accuse the Chinese government of cyber espionage, the report’s lead investigator Richard Parker stated, “I believe it’s there, and I believe it’s classified.” That same (Medius Research) report showed there is a substantial body of circumstantial evidence:

• Intelligence gathering “is a core mission of the People’s Liberation Army (PLA).” This is substantiated by numerous PLA documents, including one that described “seizing control of an adversary’s information flow as a prerequisite to air and naval superiority.”

• China is investing in the resources needed for “building an informationalized force and winning an informationalized war,” including a 1,100 person cyber operation with a submarine cave entrance worthy of a James Bond film, all hidden beneath the white sands and villages of Hainan Island, a popular tourist destination.

What Organizations Were Attacked and Breached?

Alperovitch said that even McAfee was surprised by the “enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators.”

In all, McAfee identified 72 compromised parties, and said many more were present in the logs but without sufficient information to positively identify them. The victims spam across multiple industries and governments, and even an Olympic Committee of a nation in Asia. A breakdown provided by McAfee is below:

Victims of Operation Shady RAT

“Virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm,” Alperovitch said. He believes the intrusions are so vast, that virtually every large company has fallen victim to some degree. “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” Alperovitch concluded.

The full report (I classify this as required reading) is available here.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.