Operation Shady RAT (Remote Access Tool)
Anytime that you wonder why I am so “sensitive” 
to having my personal information placed into yet another high-risk Windows environment (high cyberattack rate = high risk, without even considering the “merits” [or weaknesses] of the platform), consider this recent discovery – “A widespread cyber-espionage campaign stole government secrets, sensitive corporate documents, and other intellectional property for five years from more than 70 public and private organizations in 14 countries , according to the McAfee researcher who discovered the effort.”
Dmitri Alperovitch, who is vice president of research at McAfee, discovered the campaign, which has been called “Operation Shady RAT” (“RAT” stands for “Remote Access Tool). Michael Joseph Gross of Vanity Fair was the first to write about the findings. The governments include Canada, India, South Korea, Taiwan, the U.S., and Vietnam. The industries include agriculture, construction, defense, electronics, energy, government, media, and real estate. McAfee learned of the operation in March while investigating a comand-and-control operation it discovered in 2009 but traced back to 2006. McAfee gained control of the command-and-control server and monitored the activity.
Alperovitch wrote in the report, which was posted to the McAfee blog:
“For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.
Having investigated intrusions such as Operation Aurora and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
Alperovitch has briefed senior White House officials, U.S. congressional staff, and government agencies in the U.S. and in other countries. He has also notified the victims and is working with U.S. law enforcement agencies in the investigations, including shutting down the command-and-control server.
“We actually know of hundreds if not thousands of these servers also used by this actor,” he said in the conference call. “The entire economy is impacted by these intrusions. Every sector of the economy is effectively owned persistently and intellectual property is going out the door…It will have an impact on our jobs, the competitiveness of our industries, and on our overall economy.”
A typical attack would send a “spear-phishing” email to a targeted employee that contains an exploit that would trigger a download of implant malware when opened on an unpatched system. When the malware is executed, a backdoor is opened to the command-and-control server.
“This would be followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for,” Alperovitch wrote.
A chart in the report lists all 72 targets, although most are not named but are listed by type and country or location, country of origin, start date of the initial compromise, and duration of the intrusions. CNET says:
“They include organizations in the U.S., most countries in Southeast Asia, but none in China, and many defense contractors. Also attacked were the United Nations, the World Anti-doping Agency, and the International Olympic Committee and Olympic committees in three countries, which were targeted right before and after the 2008 Olympic Games in Beijing, according to the report. China has disputed allegations that it has engaged in cyber espionage or attacks in the past.”
Read the column by CNET’s Elinor Mills and the McAfee report (downloadable as a PDF) for additional details.
-Bill at
Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”
You can view higher-resolution photos at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. The Cheshire Cat Photo Store on Zazzle® contains a wide variety of apparel and gifts decorated with our images of California. All locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would be on our email list for updates, send us an email at info@cheshirecatphoto.com.
