Last week, cyber security firm McAffee exposed a massive cyber attack operation as an object lesson for individuals, companies, and world governments to show that everyone is at risk. In a post written by Dmitri Alperovitch, McAffee’s VP of Threat Research, the logs of a Remote Access Tool (RAT) revealed that over 70 organizations had been infiltrated in the last five years through a single, coordinated effort. It has been named Operation Shady RAT.
According to the McAffee report, Shady RAT appears to be a case of national espionage. The list of breached systems runs the gambit from national governments (including the United States, Canada, India, Vietnam, and Taiwan), defense contractors, communications organizations, international sports organizations, and even real estate companies.
While 70-odd intrusions may not seem like much — after all, we’ve discussed botnets with millions of infected computers in the past. However, these are not the brute-force denial of service attacks or mere LulzCannon-ings, but sophisticated and long-term intrusions. For instance, McAffee says that the shortest intrusion lasted one month, while the longest-running operation went on for some 28 months within the International Olympic Committee.
In his article, Alperovitch paints a vivid picture of Shady RAT’s operation.
The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.
While the identity of the Shady RAT operators remains unknown, McAffee suggests that a national power is behind it. They point to the numerous intrusions made into organizations that would be unlikely to provide monetary gain to the intruder, such as the United Nations, the International Olympic Committee, and the World Anti-Doping Agency, among others. It’s worth noting that groups such as Anonymous and LulzSec have also targeted organizations for purely ideological reasons, as opposed to monetary gain. McAffee did not name a possible perpetrator but, reading between the lines, the report has “CHINA” written all over it. Jim Lewis, with the bipartisan think-tank the Center for Strategic and International Studies, is quoted by Reuters as saying:
“Everything points to China. It could be the Russians, but there is more that points to China than Russia.”
The China connection seems to come primarily from the preponderance of intrusions into Olympics-related organizations in the run-up to the Beijing Olympics in 2008, and the list of victim governments. This is, of course, entirely circumstantial without more in-depth information, which it seems McAffee has declined to share.
While the McAffee report certainly paints a chilling picture of the cyber-security landscape, it’s worth noting that they certainly have a stake in all of this. They are, after all, a security company that makes its money by selling software and consultations to people and organizations with security concerns. It is in their best interest that the world be aware and worried about eEspionage and iThieves. That said, it is impossible to deny that their report is more than a little worrisome. I’m a Mac user and even I’m quaking in my boots.
