Details of a highly organized, sustained campaign of computerized attacks against businesses and governments across 14 countries were disclosed yesterday by the security company McAfee.
The attacks stretch back almost five years, and ranged in duration from one month to 28 months. They affected 32 types of organizations, including government agencies and defense, construction, information technology, and accounting firms.
McAfee believes the attacks were orchestrated by a nation-state, but it has not named that country. The attackers stole information and intellectual property that could be used for both political and military gain. “With the majority of the data, we don’t fully know what it’s being used for,” Dmitri Alperovitch, vice president of threat research for McAfee, said during a press conference on Wednesday.
Corporate hacking has become a prominent issue in recent months. A spate of attacks have been aimed at companies including RSA, Lockheed Martin, and Sony. But Alperovitch says the attacks announced this week—McAfee is calling them, collectively, Operation Shady RAT (for “remote access tool”)—have been less well-publicized, but are more significant. In many cases, attackers used sophisticated, carefully tailored techniques to beat the companies’ defenses over a period of time—a type of attack known as an “advanced persistent threat.”
McAfee’s report says the operation involved extensive infiltration of 72 identifiable victims—and some others that the security company couldn’t identify. Some of the information stolen through the attacks was sensitive enough to have a significant impact on a country’s entire economy, according to Alperovitch. “This is really the critical issue we need to be worried about,” he said.
McAfee hasn’t been able to publicly discuss details of the operation until now because of confidentiality agreements with its clients. This changed when the company independently discovered a command-and-control server involved in the attacks. Alperovitch said the company wanted to show how widespread and pervasive advanced persistent threats are. “Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch wrote in a blog post.
This week, Cisco released a report that corroborates McAfee’s, suggesting that advanced persistent threats are widespread and serious. “If you’re in a sensitive sector, you will become a victim of an advanced persistent threat, if you aren’t already,” says Cisco senior security researcher Mary Landesman.
Landesman sees the increase in this type of threat as part of a shift in attackers’ focus. Political motivations are increasingly driving attacks.
To pull off attacks that are “very surreptitious, very silent, and long-lasting,” Landesman says, attackers use a combination of automation and artistry. They typically start by infecting as many computers as possible with malware. Once a computer is infected, the attackers examine its IP address, and the information stored on it, to determine whether the machine is in a desirable geographic location, or belongs to an important company.
Computers deemed interesting are placed under the management of a special command-and-control server geared toward particularly important operations. The data on the computer may then be examined in more detail, or it may be used to launch a broader attack—from a receptionist’s computer to a machine within the CEO’s office, for example.
Both McAfee and Cisco agree that defending against advanced persistent threats is difficult. The defenses need to be as targeted and specialized as the attacks, Landesman says. “Ferreting out an advanced persistent threat can’t be done through a passive tool,” she says. Organizations have to map out normal traffic and behavior within their systems, and perform ongoing forensics to recognize changes that could be warning signs.
Alperovitch added that while many of the companies affected by Operation Shady RAT have plugged the holes that were leaking information, some may still not know the extent of the damage done. And that won’t be clear until the attackers begin to use the information they’ve stolen.