Five-year cyber crime campaign controlled by one server

Security giant McAfee says it has found evidence of a cyber criminal campaign that has compromised 72 organisations since 2006, including the United Nations and several military defense contractors.

‘Operation Shady RAT’, as McAfee has dubbed the campaign, worked by sending phishing emails to employees in the organisations. When employees "with the right level of access" clicked on a link in the emails, malware was installed that opened a communication channel that allowed "live intruders" to access the organisations’ systems.

The whole operation was co-ordinated from a single command and control server, McAfee says, which contained historical logs of all its activities.

"We were very lucky to find five years’ worth of historical data on that server," Raj Samani, McAfee’s EMEA CTO told Information Age this morning.  

It is unclear why the perpetrators, who have not been identified, would have left the historical logs on the server. "Maybe it was a community of people who were leaving details on there to show what worked and what did not," Samani speculated.

According to Dmitri Alperovitch, who wrote McAfee’s report on the operation, the fact that the International Olympics Committee, the World Anti-Doping Agency and the Association of Southeast Asian Nations were among the victims "potentially pointed a finger at a state actor behind the intrusions".

Alperovitch refrained from articulating the implication that the state actor in question is 2008 Olympics hosts China.

McAfee says it has informed the affected organisations and US federal authorities of the attacks.

Common occurence

This afternoon, Information Age spoke to Ashar Aziz, founder and CEO of malware protection vendor FireEye about ‘Operation Shady RAT’.

Far from being an "unprecedented cyber-espionage campaign" (Vanity Fair) or the "biggest series of cyber-attacks in history" (the Guardian), Operation Shady RAT is an example of "a commonplace occurence in today’s threat landscape," Aziz remarked. "It’s a garden-variety targeted spear phishing attack that happens all the time, especially to defense contractors."

Nor is the detection of the command and control server especially remarkable, Aziz explained. "We are tracking tens of thousands of C&C servers live at any given point in the Internet."

What is unusual about Shady RAT is the fact that C&C server has been operational for so long, Aziz said, implying that this may mean its operators were not the most sophisticated cyber criminals.

"The kind of C&C servers we’re frequently dealing with nowadays have a very short half-life, and they are designed for ‘hit and run operations’," he said. "The more stealthy guys, they won’t hang around for five years."

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics