Wednesday, August 03, 2011

Q+A: Massive cyber attack dubbed "Operation Shady RAT"

Wed Aug 3, 2011
By Jim Finkle

BOSTON (Reuters) - Hackers breached the computer networks of 72 organizations around the world over a five-year period, in the biggest hacking campaign discovered to date, security firm McAfee said on Wednesday.

Here are questions and answers on the attacks, dubbed "Operation Shady RAT" by McAfee, which was bought by Intel Corp earlier this year:

Q. Who are the victims?

A. They include:

- Governments of Canada, India, South Korea, Taiwan, United States and Vietnam.

- International bodies such as the United Nations, the Association of Southeast Asian Nations (ASEAN), the International Olympic Committee, the World Anti-Doping Agency.

- 12 U.S. defense contractors, 1 U.K. defense contractor.

- Companies in construction, steel, energy, solar power, technology, satellite communications, accounting and media.


- Other groups ranging from a U.S. insurance association to the Nevada county government and think tanks.

McAfee declined to identify many of the victims by name.

Q. When and how did the attacks take place?

A. McAfee found evidence of security breaches dating back to mid-2006, but said the hacking might have begun well before that. Some of the attacks lasted just a month, others stretched to as many as 28 months.

The hackers sent so-called spear-phishing emails, which are tainted with malicious software, to specific people at the targeted organizations. When the unsuspecting individual clicks on an infected link, it allows intruders to jump on to the machine and use it to infiltrate the computer network.

Q. What information was stolen?

A. McAfee investigators have done their best to guess what was likely stolen, based on interviews with a number of victims. McAfee Vice President of Threat Research Dmitri Alperovitch said the attacker sought data that would give it military, diplomatic and economic advantage.

"If you look at an industry and think about what is most valuable in terms of intellectual property, that is what they were going after," Alperovitch said. As examples, he cited email archives, negotiation documents and schematics for electronics.

Q. Who did it?

A. McAfee's Alperovitch said he believes that a nation state was behind the attacks, but he declined to identify it. He said the attacker is the same country that was behind other security breaches that McAfee has previously investigated.

Jim Lewis, an expert in cyber attacks with the Center for Strategic and International Studies, was briefed by McAfee. Lewis said the presence of Taiwan and the International Olympic Committee in the victims list suggest China is most likely the perpetrator of the attack.

Q. How valuable is the data that was stolen?

A. "This is the biggest transfer of wealth in terms of intellectual property in history," Alperovitch said. "The scale at which this is occurring is really, really frightening."

"Companies and government agencies are getting raped and pillaged every day. They are losing economic advantage and national secrets to unscrupulous competitors," he said.

Q. How did McAfee learn of these attacks?

A. While investigating some attacks against defense contractors, McAfee researchers found a "command and control" server in 2009 used to manage the campaign. In March of this year, they returned to that computer and found logs that revealed all of the attacks.

McAfee is typically unable to discuss its investigations because of non-disclosure agreements. The company was able to discuss Operation Shady RAT because it was not bound by any confidentiality agreements in this case.

Q. What does the "RAT" in Operation Shady RAT stand for?

A. RAT stands for "remote access tool," a type of software that hackers and security professionals often use to access computer networks from afar.

(Editing by Tiffany Wu and Martin Howell)

No comments: