Operation Shady RAT reveals worldwide espionage attacks

In selecting their targets the hackers were primarily interested in stealing information
Source: McAfee

According to a report by McAfee, since 2006, cyber-espionage has been carried out against a total of 72 organisations in 14 countries in a series of professional hacking attacks. 49 of the 72 organisations targeted are located in the US and include government agencies, defence contractors, an academic institution, and the New York and Hong Kong offices of a news organisation. Reportedly, the news organisation in question is Associated Press.

McAfee refrained from naming the vast majority of victims. Where they did name the affected organisations it was "to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm."

Two UK organisations were affected: a defence contractor and a computer security company. The United Nations in Geneva and the International Olympic Committee were also victims. A Washington Post report, citing an expert from the Center for Strategic and International Studies, points to China as the likely source of the attacks.

The attacks came to light when McAfee, which has dubbed the series of attacks Operation Shady RAT, analysed an intrusion at one of its customers and was able to track down the command and control server. Anti-virus experts at the company were able to access the server's log files, which contained detailed records of the attacks.

The criminals sent targeted emails containing specially crafted attachments to select personnel within the affected organisations. In spear-phishing attacks of this type, the emails are often well formulated and formatted, making it hard for potential victims to distinguish them from legitimate emails. If the recipient opens the attachment, the exploit downloads further malware.

The infected computer is then ready to respond to commands from the command and control server. According to McAfee, in this case normal web sites were used as a communications channel; commands were inserted into web pages as encrypted HTML comments, which McAfee's heuristics identified as Generic Downloader.x and Generic BackDoor.t. After infection, it generally took very little time before the criminals connected to the infected system and accessed confidential information.

The attackers were consistently able to maintain access to the victim's network over a prolonged period. They were able to access infected computers for at least a month and, in the case of the Olympic Council of Asia, the cyber-spies were able to snoop around for as long as 28 months. The criminals' most successful year came in 2009, in the course of which they were able to penetrate systems belonging to 38 victims. In the following year this total fell to 17, and this year there have been just nine successful attacks. McAfee believes that the decline in attacks is due to advances in virus detection and that the criminals will already have developed new tactics which they will deploying on another server.

(ehe)