Study: Operation Shady Rat Revealed

Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:07:20


McAfee White PaperGlobal 2000 companies can be split into two categories, according to the author of a new white paper from McAfee (PDF); those that know they’ve been compromised and those that don’t yet know.

“The only organizations that are exempt from this threat,” writes the paper’s author, Dmitri Alperovitch, “are those that don’t have anything valuable or interesting worth stealing.”

The White Paper, ‘Revealed: Operation Shady RAT,’ details a half-decade’s worth of cyber attacks originating from a single command and control server of an unnamed instigator.

Alperovitch argues that the rate of intrusions over the last six months is neither a new phenomenon nor even an increase, but that these sorts of attacks have been occurring relentlessly for at least the last five years. He claims that attacks from groups like Anonymous and LulzSec are relatively unsophisticated and opportunistic exploits, from groups seeking fame and notoriety. Alperovitch also plays down the threat of financially motivated cybercrime, calling it a serious but manageable threat.

Our true adversaries, he says, are those that are “motivated by a massive hunger for secrets and intellectual property.”

Key among McAfee’s findings is the diversity of victims. It’s not just the U.S. and Europe being targeted. It’s mostly the U.S., who accounted for 49 attacks with Canada and South Korea in a distant second and third with four and three attacks respectively. A number of Asian nations were being targeted as well.

McAfee began collecting logs from this server in 2006, when there were only eight intrusions. The following year that number rose by a staggering 260 percent, with 29 compromises taking place. In 2008, the number jumped again to 36 victims. And in 2009 there were 38 victims. In the last two years the server McAfee was logging became less active, perhaps due, they claim, to the availability of security measures combating the exploits used by their instigator.

The most highly targeted organizations were defense contractors by far, but the U.S. Federal and State governments, and the international sports, construction and electronics industries were heavily targeted as well.

On the whole, Alperovitch perceives the data as an indication that we are in the midst of an unprecedented era of wealth transfer – whether that wealth is represented by source codes, SCADA configurations, design schematics, or otherwise valuable proprietary information or state secrets.