Operation Shady RAT: five-year hack attack hit 14 countries

The governments of the United States, Canada, and South Korea, as well as the UN, the International Olympic Committee, and 12 US defense contractors were among those hacked in a five-year hacking campaign dubbed “Operation Shady RAT” by security firm McAfee, which revealed the attacks. Many of the penetrations were long-term, with 19 intrusions lasting more than a year, and five lasting more than two. Targets were found in 14 different countries, across North America, Europe, India, and East Asia.

The infiltration was discovered when McAfee came across a command-and-control server, used by the hackers for directing the remote administration tools—”RATs,” hence the name “Operation Shady RAT”—installed in the victim organizations, during the course of an invesigation of break-ins at defense contractors. The server was originally detected in 2009; McAfee began its analysis of the server in March this year. On the machine the company found extensive logs of the attacks that had been performed. Seventy-two organizations were positively identified from this information; the company warns that there were likely other victims, but there was not sufficient information to determine what they were.

The attacks themselves used spear-phishing techniques that are by now standard. Apparently legitimate e-mails with attachments are sent to organization employees, and those attachments contain exploit code that compromise the employee’s system. These exploits are typically zero-day attacks. With a PC now compromised, the hackers can install RAT software on the victim PCs, to allow long-term monitoring, collection of credentials, network probing, and data exfiltration.


This entry was posted in Cybersecurity Memo - Insiders Edition and tagged . Bookmark the permalink.