'Shady RAT' Stole Sensitive Data for Years, Expert Says -- Redmondmag.com

'Shady RAT' Stole Sensitive Data for Years, Expert Says

By Kevin McCaney
08/05/2011

A single command and control server conducted attacks against corporations and government agencies over the last five years, according to the security company McAfee.

In a report released on Aug. 2, Dmitri Alperovitch, McAfee's vice president of Threat Research, said a diverse group of 72 organizations was compromised, 49 of them in the United States. He dubbed the attacks "Operation Shady RAT" (short for remote access tool). The attacks may may have netted petabytes of sensitive information over the years. Although the report does not speculate on who is behind the attacks, which have been traced back to July 2006, several security experts said the evidence points to China.

James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, told the Washington Post that, "the most likely candidate is China." He noted, for instance, that the activity McAfee found had focused on Taiwan and the International Olympic Committee in advance of the 2008 Olympic Games in Beijing.

Other organizations targeted in the attacks include the United Nations, an Energy Department laboratory and 13 U.S. defense contractors, according to the McAfee report, which does not identify most of the victims specifically but does provide general categories (U.S. federal government agency, U.S. state government, U.S. defense contractor, South Korean steel company, and so on.) The list of intrusions ends in September 2010.

In the report, Alperovitch writes of the potential seriousness of the data theft to both national security and commercial interests.

"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth," he writes, "closely guarded national secrets (including from classified government networks), source code, bug databases, e-mail archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, [Supervisory Control and Data Acquisition] configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."

He notes that many of these attacks went unnoticed, or unreported, while less sophisticated attacks (such as those of the hacker groups Anonymous and LulzSec) drew a lot of media attention.

And although most victims aren't named, he writes that McAfee felt it important to name some of them, "to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small nonprofit think tank, a national Olympic team, or even an unfortunate computer security firm."

Most of the victims have remediated the infections, the report states.

McAfee gained access to the command and control server used in the attacks and collected logs dating back to 2006, although the report states that intrusions could have begun earlier.

The attacks used a spear-phishing e-mail targeted at someone with high access level, the report states. When opened on an unpatched system, malware opens a back-door communications channel to the command and control server. After that, the report adds, intruders arrive, escalate their privileges, spread to other machines and start taking data.

"After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators," the report states.

Victims included six federal agencies, five state governments, three U.S. county government and government-run sites in Canada, South Korea, Taiwan, Vietnam and India.

In addition to the 13 defense contractors, other victims in commercial operations included those in construction/heavy industry, electronics, steel, energy, IT, the news media, real estate and accounting. Several think tanks or nonprofits also were targeted.

The attacks hit organizations in 14 countries altogether, although the United States had by far the most with 49. The next highest totals were four in Canada and three each in South Korea and Taiwan.

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.