Is China behind attacks on the US, South Korea, the Olympics Committee and others, exposed by McAfee?
The US and other governments, and international bodies such as the UN, have been under the largest co-ordinated cyber attack ever discov ered, lasting at least five years, according to security firm McAfee.
The co-ordinated attack is believed to be from China, and is similar to the Night Dragon attack on power companies, exposed in February. This operation hit 72 organisations, including the governments of the US, South Korea, Tiawan, Vietnam and Canada, international bodies including the UN and the International Olympic Committee, as well as US defence and construction contractors. McAfee uncovered the attack by gaining access to one of the attackers control servers, and has dubbed it Shady RAT after the remote access tools it used.
Not a new attack
“This is not a new attack, and the vast majority of the victims have long since remediated these specific infections,” said Dmitri Alperovitch, threat research vice president at McAfee, who described the attack in a blog and a white paper (PDF), “although whether most realized the seriousness of the intrusion or simply cleaned up the infected machine without further analysis into the data loss is an open question.”
McAfee does not know what information was stolen, but Alperovitch suggests the most likely motive was industrial espionage and intellectual property theft. “”This is the biggest transfer of wealth in terms of intellectual property in history,” Alperovitch said.
He has also not revealed the names of the companies involved, who were hit with spear-phishing emails and other tools to gain eventual access to the servers. Some of the attacks lasted for a month, others went on as long as 28 months.
Alperovitch says he believes a nation state is behind the attacks, but won’t speculate on which – although securityanalysts quoted in the media have said the most obvious suspect – given the attack hit Taiwan and the IOC – is China.
The information comes from inside the attackers’ own systems, said Alperovitch: “”McAfee has gained access to one specific Command & Control server used by the intruders,” he said in the white paper. “We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the
earliest evidence we have for the start of the compromises.”
Cyber attacks by nation states have become an increasing fear, with national infrastructures potentiall vulnerable. Iran has accusedthe US and Israel of attacks including the StuxNet worm. However, attacks designed to take intellectual property, such as the report in January that the Kneber botnet used the Zeus Trojan to steal US government documents, can be more serious. In most cases they leave no obvious trace.