McAfee's Shady RAT investigation reveals mass attacks over five year period
McAfee's Shady RAT investigation reveals mass attacks over five year period

Malicious intrusions have escalated against global companies, governments and organisations and are rarely noticed.

According to an investigation into "Operation Shady RAT" led by Dimitri Alperovitch, vice president of threat research at McAfee, 'every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised, or will be shortly'.

He also said that the great majority of the victims rarely discover an intrusion or its impact and he said the Fortune Global 2000 firms can be divided into two categories: those that know they've been compromised and those that don't.

Alperovitch said: “I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defence contractors and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.”

He said that Advanced Persistent Threats (APT) ‘present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives' but what has been witnessed over the ‘past five to six years has been nothing short of a historically unprecedented transfer of wealth'.

The loss of data was also considered, with Alperovitch calling it ‘a massive economic threat not just to individual companies and industries but to entire countries', but said that the public (and often the industry) understanding of this national security threat is largely minimal. He said that this is due to the limited number of voluntary disclosures by victims of intrusion activity in comparison to the actual number of compromises that take place.

The analysis found that the tactics were not new and that the vast majority of the victims have long since remediated specific infections. McAfee detected the malware variants and other relevant indicators with Generic Downloader.x and Generic BackDoor.t heuristic signatures and access to a specific command and control server found a basic entry procedure.

“The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company and the exploit when opened on an unpatched system will trigger a download of the implant malware,” he said.

“That malware will execute and initiate a backdoor communication channel to the command and control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code.

“This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organisation to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.”

Alperovitch said that analysis of the logs surprised with its enormous diversity of victims, with 72 compromised parties among them. Of these, 22 are government agencies, 13 are defence contractors and another 12 are communications firms, 12 are non-profit think tanks, six are engineering firms and four are private industry. Another 49 are US-based, Canada accounts for four while the UK, Japan and Switzerland two each.

Raj Samani, EMEA CTO at McAfee, told SC Magazine that the main point of the attack was that it went on for five years in some cases, despite the amount of targets that were impacted was relatively small. Asked if he was surprised that this was not noticed earlier, he said: "I am not surprised, TK Maxx only knew about the intrusion when the network was running slow. You can add technologies and keep going but five years is a long time."