It’s looking like the world’s biggest cyberattack, and also like it’s been transpiring under our noses. That’s according to a report released today by security firm McAfee detailing the company’s investigation of massive intrusions into over 70 international companies, including governments and non-profit organizations, which occurred within the last five years.
Forget hacktivist groups like LulzSec and Anonymous—rank amateurs by comparison, implies the McAfee report.
“Lately, with the rash of revelations about attacks on organizations such as RSA, Lockheed Martin, Sony, PBS, and others, I have been asked by surprised reporters and customers whether the rate of intrusions is increasing and if it is a new phenomenon,” writes the report’s author, McAfee vice president of threat research Dmitri Alperovitch, who finds the question “ironic because these types of exploitations have occurred relentlessly for at least a half decade” and calls information leaked over the past six months the “result of relatively unsophisticated and opportunistic exploitations for the sake of notoriety by loosely organized political hacktivist groups such as Anonymous and Lulzsec.”
By comparison, says Alperovitch, the attacks McAfee’s been investigating “are much more insidious and occur largely without public disclosures.” Ergo McAfee’s frightening security dump this morning.
“With the goal of raising the level of public awareness today we are publishing the most comprehensive analysis ever revealed of victim profiles from a five year targeted operation by one specific actor — Operation Shady RAT, as I have named it at McAfee (RAT is a common acronym in the industry which stands for Remote Access Tool),” says Alpervotich in the report.
The perp? Unnamed, though China comes to mind with all the stories in recent months alleging the country’s been involved in clandestine, state-sponsored cyber-warfare (that last term’s debatable, of course). In any event, Alperovitch says the guilty party is singular, as in “one specific operation conducted by a single actor/group,” and while he’s careful not to jump to conclusions, he suggests “a state actor behind the intrusions.”
How do we know any of this? Alperovitch says McAfee “gained access to one specific Command & Control server used by the intruders,” and began gathering log-based evidence in mid-2006 (though noting the attacks could have begun earlier). The attacks were conducted using spear-phishing techniques (targeted deployment of malware), after which hackers used the resultant security holes to escalate privileges and seize “petabytes” of data.
While Alperovitch says he doesn’t want to identify specific victims (from the total 72), he does outline general infrastructure compromised, including government agencies in the U.S., Canada, South Korea, Vietnam, Taiwan, the United Nations and India, as well as various industries ranging from construction outfits and electronics firms to defense contractors, real estate agencies and “international sports.”
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” said Alperovitch. “In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”