Attack of the Shady RAT

Morgan O'Rourke


September 1, 2011

Lately, hacking activists groups like Anonymous and LulzSec have been making headlines almost daily for high-profile attacks on corporate and government interests. This year alone, Anonymous targeted the government networks of Tunisia, Egypt and others in support of the Arab Spring uprisings, exposed confidential Bank of America emails and attacked security firm HBGary Federal after it claimed to have successfully infiltrated and investigated the group. Meanwhile, LulzSec reportedly hit Fox, Sony, PBS, and the CIA, among others, in a public 50-day hacking marathon. The group even posted fake news reports of media mogul Rupert Murdoch's death on News Corporation sites he owns in the wake of the company's phone hacking scandal in the UK.

But amid all of these headline-grabbing breaches, a more insidious hacking operation was being carried out under the radar. Over the last five years, according to security company McAfee, a massive hacking campaign targeted government agencies in 14 countries, the United Nations, the International Olympic Committee, 13 U.S. and UK defense contractors, and a wide range of corporate and nonprofit interests. McAfee uncovered 72 targets in all (although there are likely more) and dubbed the campaign "Operation Shady RAT" after the remote access tools (RAT) that the hackers used to gain access to systems.

The method of access was not unique. The hackers used "spear-phishing" techniques in which employees are sent seemingly legitimate emails containing attachments that, when opened, introduce code that compromises the company's computer system. Recently, similar methods were used to hack into the French and Canadian finance ministries, Google and several energy companies.

What is unique and perhaps telling of a greater threat is that unlike groups like Anonymous or LulzSec that generally hack into companies for laughs (or "lulz" in hacker-speak), no group has ever claimed responsibility for Operation Shady RAT. In addition, these hacks have been characterized by much more long-term intrusions -- one organization was compromised for 28 months. According to McAfee, in an "unprecedented transfer of wealth," petabytes (one million gigabytes) of intellectual property data, ranging from national security secrets to proprietary source code to email archives, have been stolen. And what has happened to it and what it is being used for remains a mystery.

"If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation -- due to having stolen the other team's playbook -- the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth," said Dmitri Alperovitch, McAfee's vice president of threat research.

Alperovitch also emphasized the possible national security implications of the attacks. He noted that since the type of information that could be obtained by hacking many of the Shady RAT targets, such as the United Nations, the Association of Southeast Asian Nations Secretariat, and various Olympic committees, think tanks and political nonprofit organizations, does not have an obvious commercial use, the operation could be the work of politically motivated "state actors" looking to obtain sensitive intelligence or defense information.

Ultimately, Operation Shady RAT has revealed that not all hackers are driven by flashy headlines or the desire to create mayhem. The threat is much more sophisticated and widespread. "This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries," said Alperovitch. "The only organizations that are exempt from this threat are those that don't have anything valuable or interesting worth stealing." And if your company falls into that category, you may have an even larger problem.

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)