Operation Shady RAT May Be the Biggest Hack in History, But It is No Surprise

Anybody involved in the IT and cybersecurity industry knows that every major industry and government agency around the world is under threat of intrusion through Advanced Persistent Threats (APT). Security company McAfee is reporting one of the largest cases of intrusion ever in a campaign the company calls Operation Shady RAT (PDF) that has infiltrated 72 known (and many other unknown) governments and corporations over the last five years.

RAT - Remote Access Tool - is a technique that hackers use to gain access to computers and servers that allows it to siphon off data. In Operation Shady RAT, that data could include military and industrial secrets, emails from industries and more. If it could be stolen, it probably was. Victims range from the U.S. government, real estate agencies, the International Olympic Committee and small governments such as that of Taiwan. While many media organizations will call this "the biggest hack ever," it really should come as no surprise to anyone in the security field.

McAfee's white paper that details the exploits of Shady RAT does not mention who might have been perpetrating this particular APT. McAfee released the report to Vanity Fair that has made the assertion that the campaign probably originates in China. While that may be true, McAfee itself does not make that assertion. The reasoning behind blaming China is fairly simple - the data shows that almost every major country around China was hacked except for China itself. There is also the bit where the IOC (and Olympic committees for various countries) were hacked just ahead of the Bejing summer games in 2008. In that regard, the World Anti-Doping Agency (WADA) was also hacked.

McAfee says that 13 defense contractors were also breached, which brings up recent memories of Anonymous hacking Booz Allen Hamilton in July and leaking 90,000 military related emails.

McAfee was able to track the malware signatures (the RAT, more or less) and track it back to a single command-and-control server "in a Western country" that allowed it to track the IP addresses of the victims. What McAfee does not report is exactly what information was actually stolen or how high the intrusions go within each particular organization. As Graham Cluley of Sophos points out, it is one thing to breach the intern's computer, it is quite another to breach Joe the CEO. McAfee does not report how many computers were hacked, who they belonged to or what was stolen.

"Without those details, it is sort of same old, same old," said Cluley over the phone to ReadWriteWeb. "The juicy bit never arrived."

If Shady RAT has been in effect for five years and McAfee has known and been tracking it for a while, the company could have reported it at any time .Yet, the news comes out today (in Vanity Fair, no less) which is the first day of the Black Hat security conference in Las Vegas, the biggest hacker/security conference of the year.

"McAfee's PR team are skilled operators in this regard (there was similar coincidental timing when they issued their "NightDragon" investigation as the RSA Conference opened in February this year)," Cluley wrote in a blog post at Sophos's Naked Security blog.

NightDragon was a similar campaign against corporations, reported by McAfee in February this year. Of other grandiose named campaigns of note in the recent past is Operation Aurora, which was the alleged APT against Google, industries, and the U.S. and foreign governments, reported earlier this year.

Cluley does not think that any more specific information will be coming from McAfee about the nature of the attacks.

"If their PR people found something more interesting, they would have reported it," Cluley said.