'Shady RAT' report unveils massive cyber espionage campaign

A series of attacks against corporations and government agencies over the last five years, which netted petabytes of sensitive information, can be traced to a single command and control server, according to the security company McAfee.

In a report released Aug. 2, Dmitri Alperovitch, McAfee’s vice president of Threat Research, said a diverse group of 72 organizations was compromised, 49 of them in the United States.

Although the report does not speculate on who is behind the attacks, which have been traced back to July 2006, several security experts said the evidence points to China. 


Related stories:

RSA confirms its tokens used in Lockheed hack

Anatomy of a hack: When the GCN Lab was attacked from China


James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, told the Washington Post that, “the most likely candidate is China.” He noted, for instance, that the activity McAfee found focused on Taiwan and the International Olympic Committee in advance of the 2008 Olympic Games in Beijing.

Other organizations targeted in the attacks include the United Nations, an Energy Department laboratory and 13 U.S. defense contractors, according to the McAfee report, which does not identify most of the victims specifically but does provide general categories (U.S. Federal Government Agency, U.S. State Government, U.S. Defense Contractor, South Korean Steel Company, and so on.) The list of intrusions ends in September 2010.

In the report, Alperovitch, who dubbed the attacks Operation Shady RAT (short for remote access tool), writes of the potential seriousness of the data theft to both national security and commercial interests.

“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth,” he writes, “closely guarded national secrets (including from classified government networks), source code, bug databases, e-mail archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, [Supervisory Control and Data Acquisition] configurations, design schematics and much more has ‘fallen off the truck’ of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.”

He notes that many of these attacks went unnoticed, or unreported, while less-sophisticated attacks such as those of the hacker groups Anonymous and LulzSec drew a lot of media attention.

And although most victims aren’t named, he writes that McAfee felt it important to name some of them, “to reinforce the fact that virtually everyone is falling prey to these intrusions,  regardless of whether they are the United Nations, a multinational Fortune 100 company, a small nonprofit think tank, a national Olympic team, or even an unfortunate computer security firm.”

Most of the victims have remediated the infections, the report states.

McAfee gained access to the command and control server used in the attacks and collected logs dating back to 2006, although the report states that intrusions could have begun earlier.

The attacks used a spear-phishing e-mail targeted at someone with high access level, the  report states. When opened on an unpatched system, malware opens a back-door communications channel to the command and control server. After that, the report adds, intruders arrive, escalate their privileges, spread to other machines and start taking data.

“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” the report states.

Victims included six federal agencies, five state governments, three U.S. county government and government-run sites in Canada, South Korea, Taiwan, Vietnam and India.

In addition to the 13 defense contractors, other victims in commercial operations included those in construction/heavy industry, electronics, steel, energy, IT, the news media, real estate and accounting. Several think tanks or nonprofits also were targeted.

The attacks hit organizations in 14 countries altogether, although the United States had by far the most with 49. The next highest totals were four in Canada and three each in South Korea and Taiwan.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Tue, Jan 17, 2012

Doesn't matter if NASA works with China or not. They'll just steal what they need anyhow while we'll let them by not ramping up our security.

Thu, Aug 11, 2011

SURELY the Chinese government will disavow any knowledge of such intrusions. But does anyone else see that China was not on the list of those victimized? So, is it any wonder why Congress passed a bill prohibiting NASA & the OSTP from working with China on manned space flight? Yet the former NASA Administrator, Dr. Griffin, says Congress is being short sighted (Washington Times Commentary)! Kudos to Rep. Frank Wolf of Virginia for having the leadership to thwart NASA & the Administration's blind trust of China!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above