McAfee and other security experts in the U.S. have uncovered a massive five-year cyber-spying attack that hijacked data from major government organizations, including the United Nations, and large corporations in what McAfee is calling “nothing short of a historically unprecedented transfer of wealth” in a report it released Wednesday.
What was the “wealth” that was stolen? Classified government data, source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics, and more.
While McAfee did not point fingers at any one country, it did note in its report that: “if even a fraction of [the stolen data] is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”
The earliest evidence that McAfee has for when the cyber-spying began dates back to 2006, but the company notes that the attacks could have begun much earlier. And of the 72 victims identified, U.S. organizations and corporations made up 49. Other countries that were targeted include Canada, South Korea, Taiwan, Japan, Switzerland, and the United Kingdom, among others.
Naturally, all signs point to China, but McAfee isn’t naming names, other than to say that the culprit does appear to be a state actor. Other security experts are saying that China is most likely the perpetrator.
Victims include national and local government bodies (in the U.S., federal, state, and even county governments were attacked), construction and energy industries, defense contractors, the electronics industry, news media, non-profit organizations, think tanks, international sports, the accounting industry, and even the real estate industry.
One of the targets was the Associated Press, whose New York and Hong Kong offices were compromised when reporters working on issues related to China clicked on infected links sent to them via email, the Washington Post reports.
While McAfee did not disclose most of the victims’ identities, it did make note of attacks on the International Olympic Committee and the World Anti-Doping Agency. One Olympic committee for an undisclosed Asian nation was spied on for 28 months. The attacks on the International Olympic Committee took place shortly before the 2008 Beijing Olympics (China, you got some ‘splainin’ to do).
McAfee named the attacks “Operation Shady RAT”—RAT standing for “remote access tool.” The security company said it discovered the attacks in March, although it had been aware of a command and control server in a Western country used to deploy malware for years.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” wrote Dmitri Alperovitch, McAfee’s VP of Threat Research, in the report. “In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
One of the reasons that the extent to which sophisticated cyber attacks leveled against government and corporate organizations goes unnoticed, Alperovitch noted, is because few victims voluntarily step forward and admit they’ve been hacked. To do so would risk scaring off shareholders, which is why Google took an unprecedented leap last year when it came forward and publicly disclosed that it had been the target of a cyber attack from China (which China still denies).
McAfee says that the victims in the report have all been notified and many have already taken steps to remedy the problem, but the report was published anyway to shed light on how common these attacks are, and how many organizations are vulnerable.
“Virtually everyone is falling prey to these intrusions,” wrote Alperovitch, “regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.”