Has the United States already suffered its cyberwar Pearl Harbor?
The campaign, called "Operation Shady RAT" (remote access tool), was described by Dmitri Alperovitch, McAfee's VP of threat research in a recent blog post: Revealed: Operation Shady RAT. According to Alperovitch, these attacks are major assaults against both countries and corporations.
He writes, "Having investigated intrusions such as Operation Aurora [China's attack on Google) and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know. "
Alperovitch also declares that these government-sponsored attacks are on an entirely different scale than those of the kiddie attacks made by such groups as Anonymous and Lulzsec. The McAfee executive wrote, "The targeted compromises--known as 'Advanced Persistent Threats (APTs) … we are focused on are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat."
Furthermore, "What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth - closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA [supervisory control and data acquisition] configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."
McAfee claims to have uncovered this by gaining "access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began."
The actual attack method is familiar to anyone in computer security. "The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for."
A recent spear-phishing study--an e-mail based attack that tries to trick you into clicking on what appears to be a safe Web link but actually tries to steal data or delivers malware--found that "23% of people worldwide are vulnerable to targeted/spear phishing attack" and that "on an average 60% of corporate employees that were found susceptible to targeted spear phishing responded to the phishing emails within three hours of receiving them." With odds like that, it's easy to see why corporate and government spear-phishing could work so well.
McAfee's study shows that numerous U.S. government agencies were successfully attacked. In addition, Canada, South Korea, Vietnam, the United Nations, and India were hacked. Numerous electronics and defense companies have also fallen victim.
ShadyRAT's targets by category
What's the point of these attacks? Alperovitch isn't sure but he believes, "If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information."
The first shots appear to have been fired in the first major cyber-war. The next question is: "Who's behind them?" Alperovitch isn't saying, but some observers suggest that China is behind what might be called a technology Pearl Harbor.
Related Stories:
- Major cyber-espionage operation exposed
- LulzSec 'spokesperson' arrested by Scotland Yard
- Anonymous, LulzSec vs. PayPal: eBay's cash cow in the crosshairs
- Hacking attacks from China hit energy companies worldwide
- Google-China cyber espionage saga - FAQ
- CNET: Global cyber-espionage operation uncovered