A sustained and sophisticated series of intrusions over a five-year period targeted the computers of defense contractors, the IOC and agencies of the UN, the U.S., and 13 other nations, said computer security firm McAfee Wednesday.
The hacking campaign was a “five-year targeted operation by one specific actor”, according to McAfee vice president for threat and lead author of the report Dmitri Alperoviitch. He declined to name the responsible nation, but other analysts, including U.S. intelligence agencies, have fingered China as the most likely culprit due to the origin of the intrusions, their sophistication and the identity of its 72 victims.
Operation Shady Rat, as the intrusions have been dubbed, has been traced back to at least 2006. Many of the penetrations were long-term, with 19 intrusions lasting more than a year, and five lasting more than two. Targets were found in 14 different countries, across North America, Europe, India, and East Asia.
McAfee was investigating an intrusion into a defense contractor’s system in 2009 when it discovered a command-and-control server used to direct the remote administration tool (“RATs) installed in the victims’ systems. McAfee began its analysis of the server in March of this year and found logs of the attacks. They identified at least 72 victims as well as others that could not be positively identified.
The attacks began with spear-phishing techniques in which emails with attachments are sent to a victim’s employees. Because the emails appear to be from sources with which the employees are familiar, they often open the attachments. That act installs the exploit codes that compromise the employee’s system. Once the system has been compromised, RAT software is easily installed to allow long-term monitoring, collection of credentials, network probing, and sending of data to the hackers.
Operation Shady Rat’s first target was a South Korean construction company that suffered its initial break-in in July 2006. The final intrusion victim was an Indian government agency in September 2010 though data theft from systems compromised earlier continued beyond that date. Data was stolen from a U.S. think tank and the AP’s Hong Kong office until this May.
The total amount of data stolen through these intrusions are in the petabytes (thousand-trillions of bytes), but their ultimate destination and use remain unknown, says McAfee. The commercial value of data from the IOC and other sports organizations is low, suggesting a state actor, according to McAfee’s analysis. Jim Lewis of the Center for Strategic and International Studies fingered China after being briefed by McAfee. His conclusion appears based on the fact that China has been suspected in such attacks before and the inclusion of Taiwan and the IOC among the victims.
The same techniques have been used this year to break into security company RSA, the French and Canadian Finance Ministries and many oil and gas companies as well as attacks discovered in 2009 against Google and other companies.
McAfee’s report has not always been welcomed by the victims it has identified. Some victims continue to deny that they had been compromised despite overwhelming evidence.
