Operation Shady RAT: China Attacks

Internet security and anti-virus firm McAfee, Inc. published a stunning report yesterday outlining Operation Shady RAT, a massive cyber attack which compromised 72 sensitive computer networks, 49 of them in the United States.  22 of the networks belonged to government agencies, including fourteen federal, state, and local government systems in the U.S.  13 of them were defense contractors.

The operation has been in progress since at least 2006, resulting in the theft of an incredible amount of valuable and sensitive data.  McAfee Vice President of Threat Research Dmitri Alperovitch, author of the Shady RAT report, sums up the damage from what he describes as “a significant national security threat” the public has “largely minimal” awareness of:

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries. 

What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information. 

Most of the attacks were carried out with malware-tainted emails, which included links that would open a system to access by hackers when the email recipients clicked on them.

Operation Shady RAT was eventually traced to a single “command and control” server, which was discovered while it was coordinating raids on defense contractors in 2009.  Harvesting activity logs from this server helped McAfee to determine the true scope of the operation, and compile lists of the victims, whose exact identities remain confidential.

Alperovitch says the perpetrator was a “state actor,” since massive resources were required to coordinate the operation, and some of the targets had no commercial benefit.  He would not formally designate the “state actor” he has in mind, but it’s China.  The non-commercial target list included all sorts of organizations China has an interest in, or does not like, including the Association of Southeast Asian Nations, the International Olympic Committee, Olympic committees in various Asian nations, the World Anti-Doping Agency, and the United Nations.  A swarm of attacks occurred around the time of the 2008 Olympic games in Beijing.  The top 5 targeted nations were the United States, Canada, South Korea, Taiwan, and Japan.  The U.S. was Number One by a very wide margin.  No other entity capable of conducting this operation would have picked the same target list.

I have yet to find a single computer security expert writing about the Shady RAT report who doubts China is the “state actor” in question.  The question now becomes: What are we going to do about it?

Historically, this would have been considered an act of war by China.  Before the Information Age, such a theft of information would have involved thousands of spies and saboteurs infiltrating brick-and-mortar installations within the borders of China’s adversaries.  Hundreds of them would have been captured.  It would have been one of the most earth-shaking stories of the Cold War era.  The heavy targeting of defense contractors and government agencies would have left little doubt in the minds of our forefathers that they were the targets of an aggressive military intelligence operation.

The Internet moved the theater of war to a virtual battleground, where nobody got arrested, and the spies were not compelled to defend themselves with garrotes and shoe knives.  The combatants sat in comfortable offices and enjoyed casual Fridays.  The immense value of the data stolen is diluted in the public eye because it was intangible.  No futuristic prototype aircraft or briefcases full of top-secret documents were involved.

Alperovitch cautions in his conclusion that Operation Shady RAT was the largest among many offensives in a raging cyber war:

Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.

Lone hackers and volunteer hacking organizations are bad enough, as the misadventures of the “Anonymous” hacking group demonstrate.  Among other things, they stole huge amounts of data from NATO, and declared cyber-war on the city of Orlando, triggering worldwide investigations and arrests.  The difference between Anonymous and Operation Shady RAT is the difference between a gang of bandits and the armed forces of an enemy nation. 

The wealth of the world will suffer as computer users venture into an Internet that has become a free-fire zone between dedicated security teams, and the predatory agents of “state actors” that will never be held accountable for their aggression, and therefore have no reason to stop.  There will likely be few repercussions for China from its web-based espionage, beyond the traditional Strongly Worded Letter.  In fact, it probably won’t be all that strongly worded.  If the Chinese government responds by email, I strongly recommend against clicking on any of the embedded links.