A surprising number of organisations have fallen – or are falling – victim to cyber-spying, where the intruders are motivated by hunger for secrets and intellectual property rather than the financial gratification that drives most cybercrime.
This is revealed in a white paper by Dmitri Alperovitch, vice-president: threat research of McAfee, which indicates that more companies should be concerned about being compromised.
“Having investigated intrusions such as Operation Aurora and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” Alperovitch writes.
“In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
Although there’s been a lot of press lately about hacks by organisations like Anonymous and Lulz Security, these attacks are mild compared the advanced persistent threats (APTs) that are more insidious and occur largely without public disclosures.
In fact, Alperovitch believes that the last five or six years have seen an unprecedented transfer of wealth taking place as mostly western companies have lost data to what Alperovitch calls “dogged adversaries”.
“What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question,” he says. “However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation, the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.
“Yet, the public (and often the industry) understanding of this significant national security threat is largely minimal due to the very limited number of voluntary disclosures by victims of intrusion activity compared to the actual number of compromises that take place.”
Operation Shady Rat (RAT being the acronym for remote access tool) is an analysis of victim profiles compromised in a five-year targeted operation by one specific actor.
“McAfee has gained access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began,” Alperovitch says, adding that intrusion may have begun before that.
The attacks were generally targeted intrusions on to unpatched systems triggering a download of implant malware that would execute and initiate a backdoor communication channel to the Command & Control web server. This would result in live intruders jumping on to the infected machine and proceeding to escalate privileges and move laterally within the organisation.
“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organisations and were taken aback by the audacity of the perpetrators,” says Alperovitch.
He adds that organisations of all kinds are victims of these attacks, from governments to corporate to SMEs – and even a computer security firm.
In total, McAfee identified 72 compromised companies. The shortest time one of them remained compromised was one month and the longest was for 28 months.
The full report can be accessed at: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf