Shady RAT: Trillions Stolen; Response Weak

Wednesday, August 29, 2012 @ 08:08 PM gHale


By Richard Sale
One year after U.S. cyber investigators uncovered a five-year-old Chinese hacking venture called Shady RAT that looted “trillions of dollars worth of intellectual and corporate data from U.S. companies,” the response of the corporations to the threat is still loosely coordinated and ineffective, former U.S. intelligence officials said.

“Companies think first of their shareholders or shielding their name, not safety,” one official said. “They have a phobia about publicity.”

RELATED STORIES
Saudi Aramco Back Up after Attack
Finding a RAT behind Cyber Attacks
‘Night Dragon’ Follow: Six Oil Firms Hacked
Sites Change Tactics after Attack
One Attack Starts at Web Site

“This is a very sensitive matter which companies find it hard to talk about or address,” another official said. “They feel that the government should be protecting them when, in fact, they should be protecting themselves.”

Whether this means companies are ignoring the attacks or they are quietly hiking their security posture remains unclear, the result is in most cases, it has been ineffective, sources said, and yet more companies, like oil giant Saudi Aramco, are suffering from major targeted attacks.

Even the U.S. patent offices “are a very attractive target for espionage,” said James Lewis, a cyber expert at CSIA in Washington. “For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”

Shady Rat is no different than other attempts by China to evade security and loot the property of U.S. corporations and federal agencies. They have been looting U.S. banks of hundreds of millions of dollars a year, said Lewis. Only one bank, Citi group went public with their losses.

In a 14-page report issued last year, the security firm, McAfee listed “72 companies in 14 countries it claimed have been the victim for more than five years of cyber attacks siphoning intellectual property – including government data, business dealings and corporate research.”

Victims included government bodies in the United States, Taiwan, South Korea, Vietnam and Canada, said Dmitri Alperovitch, vice president of threat research at McAfee. Fifty of the victims included “corporations government agencies (particularly defense contractors) and nonprofits based in the United States. Other sites infiltrated included the United Nations and Associated Press.”

U.S. patent offices “are a very attractive target for espionage. For hackers, its one-stop shopping. Why waste time when you can you can go to the source and get the finished product.”

— James Lewis, CSIA cyber expert

One U.S. intelligence official said that malware has been removed from most sites, but said the case is still “on-going.” The weapon used by attackers was the common email.

In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and combed through reams of secret data, McAfee said.

“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch said in the report.

“What is happening to all this data … is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

McAfee learned of the extent of the hacking campaign in March 2011, when researchers discovered logs of the attacks while reviewing the contents of a “command and control” server they discovered in 2009 as part of an investigation into security breaches at defense companies.

It called the attacks “Operation Shady RAT” and said the earliest breaches date back to mid-2006, though there might have been other intrusions. (RAT stands for “remote access tool,” a type of software that hackers and security experts use to access computer networks from afar).

Some of the attacks lasted just a month, but the longest — on the Olympic Committee of an unidentified Asian nation — went on and off for 28 months, McAfee said.

In February 2011, McAfee warned hackers working in China broke into the computer systems of multinational oil and natural gas companies to steal bidding plans and other critical proprietary information. Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, ConocoPhillips and Baker Hughes were the six companies targeted in the attack.

“Night Dragon” attacks relied on a combination of spear-phishing, social engineering, Windows bugs and RATs to guarantee success. The catch is none of the tactics were particularly sophisticated, said McAfee, which uncovered the assault emanating from China and consisting of covert attacks targeting oil, energy and petrochemical companies as far back as November 2009.

“(The attacks) were very successful,” Alperovitch said. The information the hackers obtained had huge value to competitors.

That information included financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems. That attack showed security needs to be strong from the field all the way through the enterprise. You never know where the attack could occur.



Leave a Reply

You must be logged in to post a comment.