Operation Shady RAT: Five things to know

Operation Shady RAT: Five things to know

Summary: McAfee unearthed a massive, global cyberattack campaign named "Operation Shady RAT" that compromised more than 70 major organizations. Here's what you need to know.

TOPICS: Security

On Tuesday, Vanity Fair published a scoop explaining that cybercriminals have spent more than five years cautiously working to obtain data from more than 70 government agencies, corporations and non-profit groups.

The campaign, named "Operation Shady RAT" -- RAT as in "remote access tool" -- was discovered by Dmitri Alperovitch, vice president of threat research at security firm McAfee.

While most of the targets have removed the malware, the operation persists. The good news: McAfee gained access to a command-and-control server used by the attackers and has been watching, silently. (U.S. law enforcement officials are working to shut down the operation.)

This morning, McAfee published a 14-page report (.pdf) summarizing its findings.

Here are five things you need to know:

  1. 72 organizations were compromised. Among them: the U.S., Canadian, South Korean, Vietnamese, Taiwanese and Indian governments; the United Nations; industrial and energy corporations; electronics and IT firms; news media; defense contractors; real estate firms; sports groups and think tanks.
  2. It's not just North America and Europe. Sure, 49 of the targets were American, but Asian interests tallied 13 targets. Why? Political motivation: Targets that include Olympic committees and political non-profits show that the group was not "interested only in economic gains," Alperovitch writes in the report.
  3. When the coast was determined to be clear, the attackers struck. There were only eight intrusions in 2006, when the logs began, but the pace of activity jumped 260 percent the following years, striking 29 targets. It jumped to 36 victims in 2008 and 38 in 2009 before slowing down, likely because of the availability of countermeasures for these kinds of intrusions.
  4. This was a single operation by a single group. But it's not for the reason you think: "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat."
  5. "The only organizations that are exempt from this threat are those that don't have anything valuable or interesting worth stealing." Alperovitch said he divides Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know.

In closing, Alperovitch offers a sobering sense of scope for these kinds of cyberattacks, which he notes have occurred "relentlessly for the past decade" but have only recently gained press.

The loss [of this data] represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.


Topic: Security

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Were the companies notified?

    I would like to know if my company was affected.
    Your Non Advocate
  • Message has been deleted.

    Reality Bites
    • RE: Operation Shady RAT: Five things to know

      @Reality Bites Between your comment and "The only organizations that are exempt from this threat are those that don?t have anything valuable or interesting worth stealing." it's clear that ZDNet commenters are completely safe! No intellectual ANYTHING here! Woo-hoo! Oh, wait a second, that's not so good....
    • RE: Operation Shady RAT: Five things to know

      @Reality Bites I doubt only Cisco and Microsoft vulnerabilities were used to hack into this many infrastructures. Security has always been and will always be an issue.
    • I thought your breath smelled like BS

      @Reality Bites
      You're just another hater.
      And you wonder why you have to act like such an a$$, because nobody takes losers like you seriously, it's the only way to draw attention to yourself.

      Grow up or get out.
      William Farrell
      • RE: Operation Shady RAT: Five things to know

        @William Farrell
        Hear, Hear!!
  • The guilt IMO lies with the "victims" that would:

    1) Rather let IE and MS Outlook plod around than enforce more secure alternatives;
    2) Use systems that REQUIRE the former to work rather than invest in (or develop) alternatives (unlike SMEs who often can't afford otherwise due to external factors);
    3) Allow internet access without antiviral filtering for browsing and email;
    3) Not do their homework/due-dilligence but go for the shine of the brand when choice of vendor (esp. in security equipment) is concerned;
    4) Allow, often computer iliterate, executives to run as unrestricted, privileged users on their job box;
    5) Disable stuff like UAC or AppArmor/SELinux because they nag them and they can't be bothered to adjust them properly;

    Tho nothing can save you with certainty from zero day exploits I'm sure a lot of infestations are not only indirect fault of, but infact start within IT departments filled with MS certificated "experts" with inflated egos (and user privileges), but for whom computing world started in lower left corner of their desktop.
  • RE: Operation Shady RAT: Five things to know

    Most of you trolls seem to have missed the vector through which these attacks have been perpetrated: spear-fishing, which is a form of social engineering. How can Microsoft, Cisco, or any other company be responsible when it's the stupidity of the individuals receiving these emails that allows the malware to execute and embed itself on their computers?
    • RE: Operation Shady RAT: Five things to know

      Hence my comment... unless you didn't include me in the "trolls" remark.
  • RE: Operation Shady RAT: Five things to know

  • Who is responsible? One way to know....

    Just take a look and see who is not being attacked.

    I see no attacks in russia or china. And the pacific interests in the attacks would indicate a major asian nation. Now who could that be....

  • XKCD has this nicely

  • RE: Operation Shady RAT: Five things to know

    This isn't the first time that China has gotten it's hands dirty.

    Google Ghostnet. I was doing some malware research and I stumbled across it. I believe that this was also a spearfishing attack. Embassies were targeted. Britain was infected, along with India and the Tibitan government in exile.

    From what I am hearing, they have trade schools set up specially to train hackers. Could be rumor, but we could be looking at a new cold war here in North America.
  • RE: Operation Shady RAT: Five things to know

    Mt2 turk MMO PvP game download online game servers
    <a href="http://www.metin2oyunu.org" title="metin2" target="_blank">metin2</a> - <a href="http://www.metin2oyunu.org/indir" title="metin2 indir" target="_blank">metin2 indir</a> - <a href="http://www.metin2oyunu.org/hileler" title="metin2 hile" target="_blank">metin2 hile</a> - <a href="http://www.metin2oyunu.org/gm-komutlari" title="metin2 gm komutlari" target="_blank">metin2 gm komutlari</a> - <a href="http://www.metin2oyunu.org/category/metin2-at-gorevleri" title="metin2 at gorevleri" target="_blank">metin2 at gorevleri</a>
    MMO online games, game related content turk mt2 pvp servers
    <a href="http://www.metin2pvpserver.net" title="metin 2" target="_blank">metin 2</a> - <a href="http://www.metin2pvpserver.net" title="pvp" target="_blank">pvp</a> - <a href="http://www.metin2pvpserver.net" title="server" target="_blank">server</a> - <a href="http://www.metin2pvpserver.net/knight" title="knight" target="_blank">knight</a>
    Mt2 turk MMO PvP game servers online
    <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp sererler" target="_blank">metin2 pvp sererler</a> - <a href="http://www.metin2pvpserverlar.com" title="pvp serverlar" target="_blank">serverlar</a> - <a href="http://www.metin2pvpserverlar.com" title="pvp serverler" target="_blank">pvp serverler</a> - <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp sererlar" target="_blank">metin2 pvp sererlar</a> - <a href="http://www.metin2pvpserverlar.com/pvp-kenti" title="pvp kenti" target="_blank">pvp kenti</a>

    download http://www.metin2oyunu.org game servers online http://www.metin2pvpserver.net turk mt2 pvp servers http://www.metin2pvpserverlar.com