An investigation into a single cyber attacker that has launched a series of persistent attacks beginning in 2006, if not earlier, and is still ongoing, shows a diverse group of victims distributed throughout much of the globe, according to a new report by the information security firm McAfee Inc.
Moreover, the investigation indicates a range of potential target interests by the single actor, from government and quasi-governmental organizations to companies, including 10 U.S. defense contractors and three foreign ones. The attacks against defense contractors showed a desire for sensitive military technologies, Dmitri Alperovitch, vice president of Threat Research at McAfee, said on a conference call with reporters recently.
The types of victims targeted by “Operation Shady RAT,” the name given by Alperovitch to the perpetrator of the attacks, suggests the attacker could be a state actor, he said.
For example, some of the victims included the United Nations, the International Olympic Committee as well as Asian and Western national Olympic Committees and the World Anti-Doping Agency.
The interest in the international sporting groups, both prior to and immediately after the 2008 Olympics in Beijing, “was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks,” Alperovitch writes in the company’s blog on Aug. 2. Another attack against the secretariat of the Association of Southeast Asian Nations during their summit in Hong Kong indicates that it is not only motivated by economic gain, he said on the conference call.
Alperovitch would not give specifics as to the types of intellectual property and other secrets being obtained through Operation Shady RAT and he also declined to name the attacker, saying there is “no hard evidence to point fingers.”
McAfee discovered the command and control server behind the attacks in 2009 but it wasn’t until March 2011 that it found the logs on the server enabling them to identify the victims. Yet the server, and the 72 companies and organizations in 14 countries that have been compromised, are just the “tip of the iceberg,” Alperovitch said.
That’s because McAfee knows of “hundreds” of the servers, “if not thousands,” that are being used by the attacker, Alperovitch said. The company doesn’t have additional visibility into the victims beyond one or two, he added.
Taking the number of companies identified through the one server and adding hundreds more, “you start to get the picture that really the entire economy is really impacted by these intrusions,” Alperovitch said.
“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth, closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has ‘fallen off the truck’ of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries,” he writes on the McAfee blog.
Alperovitch could only guess at what the ultimate objective of the attacker is, noting that the attacks on the Olympic panels and ASEAN were tactical in nature given that they related to specific events but that other attacks were more broad, including going after energy firms and solar power firms, and telecommunications and computer security firms.
“Really the objective seems to have been to steal intellectual property that could benefit another nation’s economy,” he said.
Other industries targeted by Operation Shady RAT include construction, real estate, steel, agriculture, accounting, insurance, news media, satellite communications and information services and technology. Government organizations include the United States, Vietnam, Canada, South Korea, India and Vietnam.
The release of the target list is the most “comprehensive” ever and is aimed at raising public awareness of advanced persistent cyber national and economic security threats given the limited number of public disclosures by attack victims, Alperovitch said.
As for how Operation Shady RAT carried the attacks, they began with a common technique, spearphishing, whereby an unwitting employee of a company or organization at a certain access level downloaded malware that in turn opened a back door communications channel that enabled the intruders to steal data. RAT refers to Remote Access Tool.
Alperovich presents a gloomy picture of the prevalence of cyber intrusions.
He is convinced that any company and organization that that has size and important intellectual property and trade secrets has already been hacked.
“In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
McAfee is part of computer chip maker Intel Corp. [INTC].