McAfee reveals cyberattacks against 72 organisations

A UK defence contractor, the UN, and various US federal government agencies were among the victims of a targeted series of cyberattacks that spanned at least five years, according to security company McAfee.

McAfee has revealed that 72 organisations including the UN were targeted by a series of cyberattacks spanning five years.

The attacks against 72 organisations used targeted emails loaded with malicious software to subvert systems, and were likely to have been perpetrated by a state actor, McAfee vice president of threat research Dmitri Alperovitch said in a blog post on Tuesday.

"The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime," said Alperovitch.

McAfee called the state actor 'Operation Shady RAT' — 'RAT' stands for 'remote access tool'. Attacks by hacker groups such as Lulzsec and Anonymous gain a lot of attention, but cyber-espionage threats tend to be more insidious, said Alperovitch.

The hackers were looking for "closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, Scada configurations, and design schematics". Scada (Supervisory Control and Data Acquisition) systems are used by a number of critical national infrastructure institutions.

Range of targets

A wide range of organisations was targeted in the cyberattacks, including the United Nations, the International Olympic Committee and six US federal government organisations.

The International Olympic Committee was targeted in 2007, in the run-up the Beijing Olympics in 2008. Asian and Western Olympic Committees and the World Anti-Doping Agency were also targeted in the same time frame. One UK defence contractor's systems were subverted for a year from January 2009, while a UK computer security company was hacked in February 2008 and remained wide open for six months, said McAfee. The United Nations was hacked for 20 months.

In addition, the Association of South-East Nations (Asean) Secretariat, 12 US defence contractors, a US IT company, a US communications technology company, a US news media organisation at its New York and Hong Kong bureaus, the US Department of Energy Research Laboratory, and a US accounting firm were all among the hackers' victims.

Cyberattack methodolgy

McAfee gained access to one of the hackers' command and control servers, which was located in a western country, and picked up information about victims and the cyberattack methodology from logs on that server.

"The attack methodology would indicate one particular organisation doing a series of targeted attacks," McAfee EMEA chief technology officer Raj Samani told ZDNet UK on Wednesday. "It's just one example of the types of threats we are seeing on a day-to-day basis."

The attack methodology would indicate one particular organisation doing a series of targeted attacks.

– McAfee

The attackers sent targeted emails to particular officials or employees at an appropriate level in the organisation. When the employees opened attached malware on an unpatched system, the machine would become infected and open a backdoor communication to a command and control server. Hackers would then quickly escalate privileges on the machine, and infect other computers on a network, in addition to stealing data. The hackers used a number of different exploits to gain access to systems, a McAfee spokesman told ZDNet UK on Wednesday.

"The culprits used a typical cyber-arsenal and breached organisations with spear-phishing and zero-days," said the spokesman in an instant messaging interview. Spear-phishing involves sending targeted malicious emails, often with a social-engineering component, while a zero-day exploit is a piece of malware that exploits a vulnerability for which there is no patch.

UK cyber-policy

The Cabinet Office, which leads on UK government cybersecurity, told ZDNet UK that a government cyber-conference at the beginning of November would address the question of 'rules of the road' for cyber-policy.

"The [McAfee] report highlights that cybersecurity challenges are transnational, and calls for concerted international cooperation in response," said a Cabinet Office spokesman. "To achieve that, we need to build the widest possible shared understanding of what constitutes acceptable behaviour in cyberspace. The UK is taking a lead by hosting an international conference in November to drive that debate forward."

The Ministry of Defence declined to comment on the hack of the UK defence contractor, saying that security responsibilities lie with its contractors.

UK defence contractors include Lockheed Martin, which reported an attempt to penetrate its systems using the RSA SecureID breach in May 2011.

UK defence expert Jim O'Halloran, director of Research Analyst Defence Ltd, told ZDNet UK on Wednesday that cyber-espionage attacks on UK defence contractors were not uncommon: "It is not surprising that UK defence contractors would be targets for those outside agencies to try to gain access to computer systems," said O'Halloran, a former Royal Navy electronic warfare and intelligence specialist.