Remember when Google was hacked by Chinese spies about 18 months ago? Well, that just scratched the surface of some of the more serious and persistent hacking operations over the past few years. In a detailed blog post that is both eye-opening and a brilliant piece of marketing, McAfee’s VP of Threat Research Dmitri Alperovitch lays out the details of Operation Shady RAT (Remote Access Tool), an ongoing series of computer system intrusions that began as far back as 2006 and compromised 72 organizations, including the United Nations, the International Olympic Committee, the World Anti-Doping Agency, U.S. defense contractors, U.S. federal and state government agencies, a national security think tank, tech companies, and “even an unfortunate computer security firm” (presumably a McAfee competitor).
The scope of the attacks makes things like the recent Sony Playstation or News Corp hacks look like child’s play. The targets point to a “state actor,” possibly China (the McAfee post does not identify which state actor it suspects, but China does have a history here).
Alperovitch writes quite alarmingly:
I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.
. . . What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.
McAfee learned all of these details by gaining control of a “Command & Control” server directing the exploits. Operation Shady RAT resulted in the long-term harvesting of sensitive information from government agencies, companies, and international organizations. Alperovitch explains how it worked:
The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.
Are you feeling scared and vulnerable yet? Well, I’m sure McAfee will sell your company a security monitoring service that will make you feel safer. But will you really be any safer if state-sponsored hackers want to gain access to your files? They could be climbing in your windows right now.