A Defense Technology Blog
See All Posts
  • McAfee Smells A Rat
    Posted by Bill Sweetman 11:54 AM on Aug 04, 2011

    Cyber-espionage represents “an existential threat from an economic perspective”, according to McAfee vice-president for threat research Dmitri Alperovitch. The company has just released a summary of its own cyber-intrusion, Operation Shady Rat, in which its own operators gained access to a command and control server (a remote access tool, or RAT) involved in cyberespionage. McAfee was able to read the server logs and determine what targets had been compromised through that access point since 2006.

    McAfee is “not in the business of pointing fingers”, Alperovitch says, but McAfee believes that the culprit was a “nation state actor”…

    blog post photo

    That cyberespionage has compromised many targets is not news. What is different about Shady Rat is that it was McAfee’s own operation and can therefore be talked about. “The reason we released the report is that we have known about this, but have been constrained in what we could say. We discovered this independently so we had not signed agreements with the victims”.

    Of the many targets in the log, 72 could be identified. Thirteen were defense contractors, 22 were government agencies and 12 were international organizations, and the balance were private industries ranging from real estate and construction to energy. Some targets were on supposedly secure government networks. Three US defense contractors were compromised by intrusions that lasted 20 months or more.

    “News reports are calling this the biggest cyber attack in history,” says Alperovitch. “But what we found was one server. This particular nation controls thousands of servers.”

    The information that was targeted also yielded surprises. Along with national secrets, the adversary was after commercial information such as contracts and bid data – with a clear intention, Alperovitch says, to gain the upper hand in competitive bidding.

    There are two big issues, Alperovitch says. One is the “sheer scale and magnitude” of the operation, “a wholesale transfer of intellectual property … They are using our resources for their R&D.” That, and the ability to compromise bid data, can cause “a direct loss of jobs.” The other is the potential for “escalation from espionage to cyber network warfare. The difference between escalation and attack may be a click of a button.”

    But the massive attack is “largely unnoticed because nobody is reporting it,” Alperovitch says. Most of the attack victims, commercial and government alike, requested that they not be identified. The attitude, says Alperovitch, is “I must have done something wrong if I’ve been compromised.” He adds: "I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know."

    Tags: ar99, cyber, china

  • Recommend
  • Report Abuse

Comments on Blog Post