Asia hacked in global cyber espionage attacks

A string of Asian government agencies and high profile businesses have been hacked in massive espionage attacks that point fingers at China, a McAfee investigation has found. 

 In two of the attacks, the Olympic Committee of one unnamed Asian nation and a South Korean government agency failed to notice hacking attacks that had persisted for more than two years.

Federal government agencies, defence contractors and electronics companies were some of the organisations across 14 countries that were hacked, according to the company.

Analysis of the logs uncovered that victims included 22 government agencies; 13 defence contractors; 12 communications firms; 12 non-profit think tanks; six are engineering firms, and four from private industry.

Another 49 were US based, four from Canada, with the UK, Japan and Switzerland accounting for two each.

According to an investigation named Operation Shady RAT led by Dimitri Alperovitch, vice president of threat research at McAfee, 'every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised, or will be shortly'.

He also said that the great majority of the victims rarely discover an intrusion or its impact and he said the Fortune Global 2000 firms can be divided into two categories: those that know they've been compromised and those that don't.

Alperovitch said: “I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defence contractors and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.”

He said that Advanced Persistent Threats (APT) "present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives but what has been witnessed over the "past five to six years has been nothing short of a historically unprecedented transfer of wealth".

The loss of data was also considered, with Alperovitch calling it "a massive economic threat not just to individual companies and industries but to entire countries", but said that the public (and often the industry) understanding of this national security threat is largely minimal. He said that this is due to the limited number of voluntary disclosures by victims of intrusion activity in comparison to the actual number of compromises that take place.

The analysis found that the tactics were not new and that the vast majority of the victims have long since remediated specific infections. McAfee detected the malware variants and other relevant indicators with Generic Downloader.x and Generic BackDoor.t heuristic signatures and access to a specific command and control server found a basic entry procedure.

“The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company and the exploit when opened on an unpatched system will trigger a download of the implant malware,” he said.

“That malware will execute and initiate a backdoor communication channel to the command and control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code.

“This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organisation to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.”

Raj Samani, EMEA CTO at McAfee, told SC Magazine that the main point of the attack was that it went on for five years in some cases, despite the amount of targets that were impacted was relatively small. Asked if he was surprised that this was not noticed earlier, he said: "I am not surprised, TK Maxx only knew about the intrusion when the network was running slow. You can add technologies and keep going but five years is a long time."

A McAfee report and blog analysis has been posted online.