McAfee: 'Shady RAT' Attacks Could Have Hit Thousands of Targets

Mark Hachman - PC Magazine

The McAfee researcher responsible for the company's report on the five-year "Shady RAT" attacks on high-profile U.S. government agencies, the United Nations, the IOC, and numerous defense contractors and IT companies believes that "thousands" more targets could have been attacked.

In total, McAfee identified 72 major targets of the Shady RAT attacks, virtually all of which the company declined to identify.

McAfee had been aware of the attacks since 2009, but only unearthed a single command-and-control server in March that allowed McAfee to access its logs and determine the scope of the attacks, Dmitri Alperovitch, the vice president of threat research at McAfee, said in a teleconference with reporters on Wednesday morning.

alperovitch said that the impact of the attacks could have a far-reaching impact on the American worker. Rather than stage a "Pearl Harbor"-type attack on the United States, Alperovitch compared it to a "death by a thousand cuts".

"There may be a national security impact from the government intrusions, the defense contractor intrusions, but what this really shows us the impact on the overall economy, and the impact that your company's job in Des Moines, Iowa, may well depend - or be impacted I should say - by this activity," Alperovitch said. "Because the company that he or she may be working for may go out of business soon because an unscrupulous competitor is stealing their intellectual property and may soon coming on the market with a cheaper technology because they've stolen all your R&D."

Alperovitch said he believed that the single command-and-control server was just one of many, however; at this point, however, he said it was impossible to say. McAfee also said that the targets were identified by IP address. In several cases, the target IP was the known address of a specific company's firewall or mail gateway, he said. In certain cases, McAfee identified the target with its permission or because, in the case of the United Nations, it was impossible to describe without effectively identifying it. He also said that McAfee provided the information to the companies for free.

In many other cases, McAfee detected other target IP addresses that it was unable to correlate. Those IP addresses could have belonged to another, unknown company, or a worker from one of the affected targets working at home, or while traveling.

What was fair to assume, however, was that the presence of other command-and-control servers also suggests that there were many more targets that McAfee had not yet detected, Alperovitch said. "I think it's fair to assume, that if you look at the totality of activity that's occurring, it's in the thousands" of targets, he said.

Who did it?

The command-and-control server McAfee detected was located in a "Western country," Alperovitch said. He did not say whether it was a compromised machine.

Alperovitch also declined to identify the source of the attacks; in its report, McAfee said that it believed the source of Shady RAT was a single nation-state, given the attacks on several Olympic committees, including the International Olympic Committee and the World Anti-Doping Agency in Canada.

Alperovitch also declined to identify whether or not the attacks came from China, Eastern Europe, or another region. "We're not really in the business of attribution," he said.

In the case of recent "Night Dragon" attacks on Western oil and gas companies, however, Alperovitch said that oil and gas concessions were lost as a result of the attacks, which essentially gave the attackers access to playbook those companies used in international negotiations. "Someone is going through a tremendous amount of effort to get this data and to coordinate these intrusions," he said.