The US and other governments, and international bodies such as the UN, have been under the largest co-ordinated cyber attack ever discov ered, lasting at least five years, according to security firm McAfee.
The co-ordinated attack is believed to be from China, and is similar to the Night Dragon attack on power companies, exposed in February. This operation hit 72 organisations, including the governments of the US, South Korea, Tiawan, Vietnam and Canada, international bodies including the UN and the International Olympic Committee, as well as US defence and construction contractors. McAfee uncovered the attack by gaining access to one of the attackers control servers, and has dubbed it Shady RAT after the remote access tools it used.
McAfee does not know what information was stolen, but Alperovitch suggests the most likely motive was industrial espionage and intellectual property theft. “”This is the biggest transfer of wealth in terms of intellectual property in history,” Alperovitch said.
He has also not revealed the names of the companies involved, who were hit with spear-phishing emails and other tools to gain eventual access to the servers. Some of the attacks lasted for a month, others went on as long as 28 months.
Alperovitch says he believes a nation state is behind the attacks, but won’t speculate on which – although securityanalysts quoted in the media have said the most obvious suspect – given the attack hit Taiwan and the IOC – is China.
earliest evidence we have for the start of the compromises.”
Cyber attacks by nation states have become an increasing fear, with national infrastructures potentiall vulnerable. Iran has accusedthe US and Israel of attacks including the StuxNet worm. However, attacks designed to take intellectual property, such as the report in January that the Kneber botnet used the Zeus Trojan to steal US government documents, can be more serious. In most cases they leave no obvious trace.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Comment by email from Amichai Shulman, CTO and co-founder of Imperva:
“With automation, large intrusions of this magnitude are, sadly, common. For example, our most recent blog entry indicates 90 victims from a campaign that encompassed probably hundreds of thousands of potential targets over a few weeks of activity. Another recent campaign (whose detailed account was given by Armorize) encompassed millions of compromised pages over thousands of sites over a few weeks of activity.
Regarding the interpretation of the attacker identity and what is the methodology, McAfee got it wrong. Rather than a government, I think that this is Targeted Criminal Hacking. Botnet farmers are massively infecting computers by automated Spear Phishing campaigns (we experience them at Imperva). Then hackers are able to profile the infected machines by organization and sell machines to other hackers who look for specific targets. So the infection is only partly targeted. However, those who use the payload eventually do target a specific organization. It is important to make this distinction because unlike the commentary in the paper, I don't think that the adversary is really putting a lot of effort targeting a single organization—it wouldn’t be cost effective.
There is a clear commercial motivation here. Attackers accumulate infected machines which they then further sell for higher profit to customers looking for specific targets. This ties in exactly to our latest blog which showcases another attacker who accumulated compromised servers arbitrarily and is now selling them for people with specific needs.
I also find it very strange that while the introduction discusses PETA Bytes of stolen information the actual paper does not provide any actual data regarding it.
I think that McAfee have done a great job getting the data, less so analyzing it. In particular, correct analysis of the motivation and methods allows organizations to put the right controls in place. Clearly the main issue here is infected machines connected to internal networks and accessing internal data source. This kind of threat emphasizes the need for tighter control and audit around internal data source (either database servers or file servers). Database and file server monitoring solutions allow organizations to detect abusive access patterns from within the organization and apply access controls that cannot be bypassed by privileged users.”