Skip to Content

Worldwide Cyber Espionage Revealed

The attacks are evidence of a growing political motivation among hackers.
August 4, 2011

Details of a highly organized, sustained campaign of computerized attacks against businesses and governments across 14 countries were disclosed yesterday by the security company McAfee.

The attacks stretch back almost five years, and ranged in duration from one month to 28 months. They affected 32 types of organizations, including government agencies and defense, construction, information technology, and accounting firms.

McAfee believes the attacks were orchestrated by a nation-state, but it has not named that country. The attackers stole information and intellectual property that could be used for both political and military gain. “With the majority of the data, we don’t fully know what it’s being used for,” Dmitri Alperovitch, vice president of threat research for McAfee, said during a press conference on Wednesday.

Corporate hacking has become a prominent issue in recent months. A spate of attacks have been aimed at companies including RSA, Lockheed Martin, and Sony. But Alperovitch says the attacks announced this week—McAfee is calling them, collectively, Operation Shady RAT (for “remote access tool”)—have been less well-publicized, but are more significant. In many cases, attackers used sophisticated, carefully tailored techniques to beat the companies’ defenses over a period of time—a type of attack known as an “advanced persistent threat.”

McAfee’s report says the operation involved extensive infiltration of 72 identifiable victims—and some others that the security company couldn’t identify. Some of the information stolen through the attacks was sensitive enough to have a significant impact on a country’s entire economy, according to Alperovitch. “This is really the critical issue we need to be worried about,” he said.

McAfee hasn’t been able to publicly discuss details of the operation until now because of confidentiality agreements with its clients. This changed when the company independently discovered a command-and-control server involved in the attacks. Alperovitch said the company wanted to show how widespread and pervasive advanced persistent threats are. “Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch wrote in a blog post.

This week, Cisco released a report that corroborates McAfee’s, suggesting that advanced persistent threats are widespread and serious. “If you’re in a sensitive sector, you will become a victim of an advanced persistent threat, if you aren’t already,” says Cisco senior security researcher Mary Landesman.

Landesman sees the increase in this type of threat as part of a shift in attackers’ focus. Political motivations are increasingly driving attacks.

To pull off attacks that are “very surreptitious, very silent, and long-lasting,” Landesman says, attackers use a combination of automation and artistry. They typically start by infecting as many computers as possible with malware. Once a computer is infected, the attackers examine its IP address, and the information stored on it, to determine whether the machine is in a desirable geographic location, or belongs to an important company.

Computers deemed interesting are placed under the management of a special command-and-control server geared toward particularly important operations. The data on the computer may then be examined in more detail, or it may be used to launch a broader attack—from a receptionist’s computer to a machine within the CEO’s office, for example.

Both McAfee and Cisco agree that defending against advanced persistent threats is difficult. The defenses need to be as targeted and specialized as the attacks, Landesman says. “Ferreting out an advanced persistent threat can’t be done through a passive tool,” she says. Organizations have to map out normal traffic and behavior within their systems, and perform ongoing forensics to recognize changes that could be warning signs.

Alperovitch added that while many of the companies affected by Operation Shady RAT have plugged the holes that were leaking information, some may still not know the extent of the damage done. And that won’t be clear until the attackers begin to use the information they’ve stolen.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

How scientists traced a mysterious covid case back to six toilets

When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.

Google DeepMind’s new generative model makes Super Mario–like games from scratch

Genie learns how to control games by watching hours and hours of video. It could help train next-gen robots too.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.