The United States, United Nations, defense contractors and the International Olympic Committee were targets of a massive global cyber spying campaign, a computer security firm said Wednesday, with China seen as the likely culprit.
California-based McAfee said it had identified 72 victims in 14 countries of a sophisticated hacking effort dubbed “Operation Shady RAT,” which it traced back to at least 2006.
McAfee vice president for threat research Dmitri Alperovitch described the campaign as a “five-year targeted operation by one specific actor,” but declined to identify the country responsible.
The “compromised parties” included the governments of Canada, India, South Korea, Taiwan, the United States and Vietnam, McAfee said in a report, as well as a US Energy Department research lab and around a dozen US defense contractors.
Others included computer networks of the United Nations, the Association of Southeast Asian Nations, the International Olympic Committee, Asian and Western national Olympic committees and the Montreal-based World Anti-Doping Agency.
In a conference call with reporters, Alperovitch, the report’s lead author, said the intrusions into defense contractor systems targeted “sensitive military technologies.”
He said McAfee had notified law enforcement about the cyber espionage campaign, briefed the White House and members of the US Congress and was working with some of the targeted companies on remediation efforts.
“We believe based on the targeting and the scale and the impact of these operations, and the fact that they didn’t just have an economic gain in mind but also political and military, that that this is clearly a nation-state but we’re not pointing the finger at anyone,” Alperovitch said.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said the evidence may not be “conclusive in a legal sense,” but suspicion points towards China.
“You can think of at least three other large programs attributed to China that look very similar,” Lewis told AFP. “It’s a pattern of activity that we’ve seen before.
“There’s a lot of smoke for there not to be any fire,” he added.
Google said in June that a cyber spying campaign originating in China had targeted Gmail accounts of senior US officials, military personnel, journalists and Chinese political activists.
In January of last year, Google announced it was halting censorship of its Internet search engine in China after coming under attack, along with 20 other companies from hackers based there.
In February, McAfee said in another report that hackers in China have penetrated computer networks of global oil companies, stealing financial documents on bidding plans and other confidential information.
McAfee said it discovered the “Shady RAT” cyber attacks by gaining access to a command and control server located in a Western country that had been used by the intruders and by examining its logs.
“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” McAfee said.
The security firm said attacks on the Olympic committees and the World Anti-Doping Agency occurred in the lead-up and immediate follow-up to the 2008 Beijing Olympics.
It described this as “particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks.”
Other targets included a private Western organization focused on promoting democracy, two US national security think tanks, South Korean steel and construction firms, a Danish satellite communications company, a Singapore electronics company, a Taiwanese electronics firm, Vietnam’s government-owned technology company and US state and county governments, McAfee said.
It said a major US news organization — identified as The Associated Press by The Washington Post — was “compromised at its New York headquarters and Hong Kong bureau for more than 21 months.”
McAfee said the attacks involved sending infected emails to employees of the targeted companies. When opened, the emails implanted malware and established a backdoor communication channel to the command and control server.
Data theft appeared to be the chief objective of the attackers but Alperovitch warned the “potential exists for even more insidious activity.”
“These intruders are in our systems, in the systems of all these companies, in all these government systems,” he said. “The likelihood that they’ll escalate the activity from just stealing data to modifying data or destroying data or destroying systems is also there.”