In conjunction with this week’s Black Hat 2011 hacker conference, security vendor McAfee Inc. has released details on what it describes as the most comprehensive revelation and analysis of previously undisclosed intrusions, which may threaten the national security of the U.S. and other nations.
I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly).
Dmitri Alperovitch, vice president of threat research, McAfee Labs
Today the security vendor unveiled Operation Shady RAT, as McAfee has named it, a research effort that led to the identification of 72 compromised, intruded parties, all relevant to the national security posture of the U.S. or other nations, broken down into 32 unique organization categories in 14 different countries over a five-year period.
The security firm legally gained access to a particular command-and-control server used by the intruders who perpetrated the attacks and collected their logs, revealing the full extent of the victim population and the duration of the breaches since mid-2006, though it’s unclear whether the intrusions began earlier.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly),” said Dmitri Alperovitch, vice president of threat research for McAfee Labs. “In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised, and those that don’t know yet.”
According to the report, there’s enormous diversity among the victim organizations, including the United Nations, a multinational Fortune 100 company, and a national Olympic team. Alperovitch said the report only analyzed the logs on one particular server and the number of intrusions perpetrated by the attacker organization is “well into the thousands.”
The report explains the intrusions were rather standard procedure: typically a spear-phishing email containing an exploit is sent to a trusted insider with privileged access at the target organization. When the email is opened on an unpatched system, a download begins and implants malware. That malware then allows a backdoor communication channel to the command-and-control server where live intruders can access the infected machine.
According to research by McAfee, which was acquired by Intel Corp. in February, these types of attacks have occurred relentlessly for the past half decade, at least. And the motivation isn’t immediate financial gratification like most cybercrime, but rather the “hunger for secrets and intellectual property,” the report explains.
Much of the information McAfee said has been compromised over the past five years includes closely guarded and classified national secrets, negotiation plans and exploration details for new oil and gas field auctions, SCADA configurations, design schematics and numerous other pieces of sensitive information.
The report explains that even if “a fraction of it is used to build better competing products or beat a competitor at a key negotiation… the loss represents a massive economic threat not just to individual companies and industries, but to entire countries.” These countries’ national security can be completely impacted with the loss of highly classified and important intelligence and defense information.
While the United States may be the most targeted and intruded country by the attackers, it isn’t the only one. Others include Canada, South Korea, Taiwan, Japan, Switzerland, the UK, Indonesia, Vietnam, Denmark, Singapore, Hong Kong, Germany and India, and, as McAfee explained, that was just from one server.
However, Graham Cluley, senior technology consultant with security vendor Sophos plc, questioned the relevance of McAfee’s findings.
“To be honest, there's nothing particularly surprising in McAfee's report to those of us who have an interest in computer security,” Cluley wrote in a blog entry Wednesday. “What the report doesn't make clear is precisely what information was stolen from the targeted organizations, and how many computers at each business were affected.”
The report claims a single actor or group conducted these intrusions as one specific operation; Alperovitch sought to clarify he doesn’t want to point fingers. “There’s no hard evidence” of who is behind the attacks, he said, “so it would only be speculation.”
“This could easily escalate from stealing to modifying… and potential exists for more dangerous activity,” Alperovitch added.
“This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing,” the report stated.