Threat Management

Operation Shady Rat reveals vulnerability to cyber intrusion

While the last few months have seen an unprecedented number of high-profile breaches – including intrustions into RSA, Lockheed Martin, Sony, Fox, PBS, the U.S. Senate and the CIA – Wednesday's release of a white paper by security firm McAfee detailing a breach campaign it is labeling Operation Shady Rat stands to pass them all.

In its 14-page report, McAfee identified 72 companies in 14 countries which it claimed have been the victim for more than five years of cyberattacks siphoning intellectual property – including government data, business dealings and corporate research.

Government agencies in the United States, Taiwan, South Korea, Vietnam and Canada were among the targets, said the report, penned by Dmitri Alperovitch, vice president of threat research. Nearly 50 of the affected entities were corporations, government agencies (particularly defense contractors) and nonprofits based in the United States. The United Nations and Associated Press were also victims.

The McAfee report said the targeted compromises of Operation Shady Rat [RAT is an acronym for remote access tool, a form of software used to access computer networks] are APTs, advanced persistent threats, a technique of cyber intrusion usually used for espionage, as opposed to the more visible cyberattacks by such hacktivist groups as Anonymous and LulzSec, motivated by political reasons.

"[Operation Shady Rat presents] a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives," the report said. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat."

The fact that a number of Olympic committees were targeted around the time of the 2008 Olympics led Alperovitch in the report to speculate that a state actor was behind the intrusions, "because there is likely no commercial benefit to be earned from such hacks."

But, “McAfee got it wrong," Amichai Shulman, CTO and co-founder of security company Imperva, told in an email.

Rather than a government being to blame, Shulman said this appears to be a targeted criminal hacking, a growing scourge where botnet farmers infect computers with automated spear phishing campaigns.

In the typical spear phishing campaign, a user receives an email that seems to come from a trusted partner. The message contains a link to a web page that, when clicked, loads a malicious program onto the recipient's computer. The intruder now has access to the network and can subsequently escalate user privileges and begin siphoning off data.

Using this process, Shulman said, villains profile the infected machines by organization and sell to other hackers looking for specific targets.

"I don't think that the adversary is really putting a lot of effort targeting a single organization – it wouldn't be cost effective," Schulman said. "There is a clear commercial motivation here."

But other experts agree with McAfee's speculation that the attack originated from a nation-state. “Operation Shady RAT is a clear example of how prevalent sophisticated, targeted, cyberespionage is," Gretchen Hellman, VP of product management at security firm Vormetric, told SCMagazine on Wednesday. "This is a call for government organizations and prime commercial targets to move from information protection programs to strong information defense strategies. Shifting to information defense creates a sense of urgency and recognition that advanced persistent threats are a reality, and places a keen focus on taking steps to defend data from powerful enemies.

Anup Ghosh, CEO and founder of Invincea, told on Thursday that McAfee painted the broader strokes of a concerted campaign against all industry sectors and government in the United States. "We do believe that what we are witnessing is wholesale theft of the nation's IP that will affect our competitiveness on a global scale in future years to come.One thing the McAfee report did not mention, however, is that these attacks illustrate that the security industry as a whole has failed in its mission to protect corporate, government and citizens against these attacks," Ghosh said.

"It is time to stop blaming users for clicking on links and attachments, time to stop blaming the companies and agencies who are victim to these attacks, and time to start innovating in security again so we fight 21st century attacks with 21st century technologies," Ghosh said.

In its research, McAfee gained access to a command-and-control server used by the intruders and collected logs from which it was able to extrapolate data on the targets going back to mid-2006, though the intrusions may have begun before that date, the report said.

In a conference call on Wednesday, McAfee's Alperovitch said that although he named only 72 companies in the white paper, it is fair to assume that the number of victim organizations goes well into the thousands.

Most of the targets have reportedly removed the malware, and U.S. law enforcement agencies are on the case to  shut down the operation. However, it is ongoing.

"Unstructured data stores in the United States hold trillions of dollars' worth of intellectual property – which Operation Shady RAT has demonstrated is a valuable target," says Vormetric's Hellman. "Information defense for valuable unregulated data – such as IP – requires full defense in depth applied directly to data, including intelligent encryption, strong access control and solid system security as preventative measures, and real-time activity monitoring."

Invincea's Ghosh agrees. "Contrary to what the security industry now messages, prevention is not a failed strategy. We can change the game by collecting intel on our adversaries when they compromise our virtual environments rather than them collecting intel on us."

Updated Aug. 4

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.