The cyber-security firm, McAfee, says they have discovered “Operation Shady RAT” (remote access tool). According to Dmitri Alperovitch, McAfee’s VP, these attacks are major assaults against both countries and corporations.
Apparently, this cyber-espionage campaign has been going on for five years against more than 70 public and private organizations in 14 countries.
Alperovitch writes, “Having investigated intrusions such as Operation Aurora [China’s attack on Google) and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know. ”
He also makes a point that the government-sponsored attacks of this operation are on an entirely different scale than those of the kiddie attacks made by such groups as Anonymous and Lulzsec.
“The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.”
McAfee claims they uncovered this information by “access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began.”
Alperovitch exlpains the familiar attack methods: “The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.”
Read More @ zdnet.com