Operation Shady RAT – McAfee Says Over 70 Organizations Breached By Remote Access Tool
McAfee has put out a report called “Revealed: Operation Shady RAT,” which details an investigation of what is being called the “biggest-ever series of cyber attacks”.
The report, authored by McAfee VP Threat Research, Dmitri Alperovitch, discusses the investigation of targeted intrusions into over 70 global companies, governments and non-profit organizations that have occurred over the last five years.
“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has ‘fallen off the truck’ of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries,” writes Alperovitch in the report.
“What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question,” he continues. “However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.”
He goes on to call the report the “most comprehensive analysis ever revealed of victim profiles” published in an effort to spread public awareness about how the lack of voluntarily disclosed intrusions is contributing to the lack of understanding throughout the public and the industry as well as of the intrusions themselves or “Operation Shady Rat”, as he named it, with “RAT” standing for Remote Access Tool. The intrusions are believed to stem from a “state actor” because of the apparent lack of commercial gain.
“This is not a new attack, and the vast majority of the victims have long since remediated these specific infections (although whether most realized the seriousness of the intrusion or simply cleaned up the infected machine without further analysis into the data loss is an open question),” Alperovitch explains. “McAfee has detected the malware variants and other relevant indicators for years with Generic Downloader.x and Generic BackDoor.t heuristic signatures (those who have had prior experience with this specific adversary may recognize it by the use of encrypted HTML comments in web pages that serve as a command channel to the infected machine).”
Here’s a breakdown provided in the report of the types of organizations (and how many) have been affected:
Included were 49 victims in the US, 4 in Canada, 3 in South Korea, 3 in Taiwan, 2 in Japan, 2 in Switzerland, 2 in the UK, 1 in Indonesia, 1 in Vietnam, 1 in Denmark, 1 in Singapore, 1 in Hong Kong, 1 in Germany, and 1 in India.
Reuters is suggesting that China may be involved, citing a “cyber expert” with the Center for Strategic and International Studies as saying it was likely China because some of the targets had info that would be of “particular interest to Beijing.” Jim Lewis, this cyber expert, is quoted as saying, “Everything points to China. It could be the Russians, but there is more that points to China thanRussia.”
The McAfee report (pdf) makes no mention of such accusations, and has not commented on the notion.
The company does provide significantly more details about its findings in the report, however.