Operation Shady RAT

from Wikipedia, the free encyclopedia

Operation Shady RAT (English; for example "dodgy rat" or "hidden remote access") is the name for hacker attacks in which at least 72 companies, organizations and governments worldwide were systematically spied between 2006 and 2011. Dmitri Alperovitch , an employee of the US computer security company McAfee , coined the name, which refers to the English term Remote Access Tool ( remote access software ).

Exposure

On August 2, 2011, at the start of the “Black Hat” conference in Las Vegas , Dmitri Alperovitch published a fourteen-page report on an official McAfee blog in which he summarized the facts known to McAfee since March 2011, listing 72 targets of the hacking attacks , and offered a graphical preparation of the attacks since 2006. Like Operation Aurora and Operation Night Dragon , which originated in China, he classified them as advanced persistent threats and thus as a greater threat to states and companies than from groups such as Anonymous or LulzSec . Alperovitch notified the American government, Congress, and law enforcement agencies of his discovery.

rating

While Alperovitch described the attacks described with Operation Shady RAT as "unprecedented", assessed data loss as an economic threat to companies or entire countries and also raised the question of national security, security researchers from other companies such as Symantec , Kaspersky and Dell SecureWorks were in theirs Judgments more cautious. Details about the extent of the data loss are not yet known and the technical sophistication of the attackers is not as high as initially assumed. Symantec researcher Hon Lau rated Operation Shady RAT as "significant", but only as "one of many attacks that take place every day". Yevgeny Kaspersky concluded that the attack had been overrated and did not deserve much attention. It was not carried out by a state but by criminals using inexpensive software.

How the attackers did it

In 2009, McAfee identified a central control server on which logs of the attacks were found and which could be traced until mid-2006. It may have started earlier and was still going on in the summer of 2011. The access to the respective computer systems was achieved with the help of spear phishing emails. Here are e-mails that may be contrary to other phishing e-mails in their correct acting presentation hardly be distinguished from a legitimate message, sent to addressees who already have access to the attacked network. They contain malware that ensures that the attacker can control the now infected computer from the outside. According to an analysis by the software house Symantec , file attachments were initially sent with the e-mails, which aroused the interest of the users and were kept in common formats. They contained malicious code in the form of Trojan horses , which caused the infected computers to download images in which further commands for remote access were hidden by means of steganography .

Organizations attacked

At least 72 organizations were attacked; McAfee accepted this from many others without being able to identify them exactly. These include authorities from the United States , Canada , India , Asian countries, the Association of Southeast Asian Nations ( ASEAN ), the United Nations , the International Olympic Committee , and various companies, one of which is in Germany. The majority, in 49 cases, of the attacks were directed against American targets. The focus was on the electronics and armaments industry. The attackers stayed in the hacked systems for between one and 28 months.

According to Alperovitch, the stolen or illegally copied data is, among other things, secret information from the governments concerned, source codes for software, plans for oil and gas production, contract texts and e-mails. The volume should be in the petabyte range . One petabyte corresponds to the storage capacity of 250 standard hard drives of four terabytes each.

Possible perpetrators

McAfee suspects that the cyberattacks originated from government agencies, but without being specific. According to Alperovitch, their search for secrets and intellectual property set them apart from the usual motivation of cyber criminals who seek quick financial gain. The interest in information from Western and Asian Olympic Committees and the World Anti-Doping Agency in connection with the 2008 Summer Olympics speaks for a state in the background, as this information cannot be directly converted into commercial success. Jim Lewis of the Washington Center for Strategic and International Studies suspected that China , the host of the 2008 Olympics, was behind the attacks. The malware researcher Joe Stewart from Dell SecureWorks was able to confirm a Chinese origin. He discovered that the attackers were using a ten-year-old program called HTran ( HUC Packet Transmit Tool ) that a Chinese hacker had developed to hide the origin of the attacks in China. It remains to be seen whether the Chinese government was involved in the attacks.

Reactions

The Chinese government failed to comment, but media close to the government such as the Renmin Ribao newspaper denied that China was a state perpetrator. A week after the cyberattacks were uncovered, the Chinese government announced that it had been the victim of half a million such attacks in 2010, almost fifteen percent of which were via IP addresses from the United States. However, the respective country of origin of the attacks cannot be determined with certainty from the assignment of the IP addresses.

Canada's Minister of State Construction and Public Services, Rona Ambrose , announced three days after the initial publication of Operation Shady RAT that it would reduce the over 100 government email systems to 20 and merge 3000 networks. She hoped that this would both reduce the potential attack surface and save costs. Even Janet Napolitano , the Secretary of Homeland Security of the United States, confirmed to an audit report from McAfee. Furthermore, the United Nations Office in Geneva and the World Doping Agency began to check whether the hacker attacks described had taken place. However, the latter stated that it had a sophisticated security system. There is no reason to assume that hackers had access to sensitive data.

In Germany, the Federal Office for Information Security announced that it would examine Alperovitch's report. Dieter Kempf , President of the Bitkom industry association for the German IT industry, called for an expansion of the National Cyber ​​Defense Center, which was set up in June 2011, and for closer cooperation between business and government agencies. The DATEV denied to have one of the targets of the attacks.

See also

Web links

Individual evidence

  1. Cyber ​​crime: US company claims to have discovered the biggest hacker attack in history. In: Süddeutsche Zeitung Online. August 3, 2011, accessed August 4, 2011 .
  2. a b c d Largest series of hacker attacks discovered to date. In: FAZ.net. August 3, 2011, accessed March 4, 2015 .
  3. a b c d e f g Dmitri Alperovitch: Revealed: Operation Shady Rat. (PDF; 5.0 MB) Archived from the original on August 4, 2011 ; accessed on August 4, 2011 .
  4. The trail leads to China. In: Süddeutsche Zeitung Online. August 3, 2011, accessed August 4, 2011 .
  5. McAfee defines the term as cyber espionage or sabotage that originates in a nation-state and differs in its motives from the political, criminal or financial motives of non-state-controlled cyber criminals. What is an 'Advanced Persistent Threat,' anyway? In: Networkworld. February 1, 2011, archived from the original on May 12, 2012 ; accessed on August 5, 2011 .
  6. ↑ The worst hacker is a state. In: n-tv. August 3, 2011, accessed August 4, 2011 .
  7. a b c Reaction to "Shady RAT": Canada wants to merge state IT. In: ZDNet. August 5, 2011, accessed August 5, 2011 .
  8. ^ 'Shady RAT' Hacking Claims Overblown, Say Security Firms. In: Computerworld. August 5, 2011, accessed August 7, 2011 .
  9. a b Security researcher: "Shady RAT" is overrated. In: gulli.com. August 6, 2011, archived from the original on January 25, 2013 ; Retrieved August 7, 2011 .
  10. Kaspersky gossips about McAfee's "shabby rat". In: Heise.de. August 18, 2011, accessed August 20, 2011 .
  11. Shady RAT: Shoddy RAT. In: Yevgeny Kaspersky's blog. August 18, 2011, accessed August 20, 2011 .
  12. Professional hackers spy on governments and industry worldwide on a large scale. In: Heise.de. August 3, 2011, accessed August 4, 2011 .
  13. ^ The Truth Behind the Shady RAT. In: Symantec Security Response Blog. August 5, 2011, accessed August 5, 2011 .
  14. Largest series of hacker attacks uncovered. In: Welt online. August 4, 2011, accessed August 4, 2011 .
  15. 'Shady Rat' attacks. In: Süddeutsche Zeitung Online. August 4, 2011, accessed August 4, 2011 .
  16. a b c Systematic hacker attack on governments and companies. In: time online. August 3, 2011, accessed August 4, 2011 .
  17. Report on 'Operation Shady RAT' identifies widespread cyber-spying. In: The Washington Post. August 3, 2011, accessed August 4, 2011 .
  18. ^ APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks. In: darkreading.com. August 3, 2011, accessed August 7, 2011 .
  19. HTran and the advanced persistent threat. In: Dell SecureWorks. August 3, 2011, accessed August 7, 2011 .
  20. China rejects allegations. In: NZZ Online. August 5, 2011, accessed August 6, 2011 .
  21. China paper scoffs at suggestion Beijing is hacking villain. Reuters, August 5, 2011, accessed August 6, 2011 .
  22. China was the target of 500,000 cyberattacks in 2010. In: ZDNet. August 10, 2011, accessed August 20, 2011 .
  23. US cybercops Caught flat-footed by Massive Global Cyber Attack. In: Fox News. August 4, 2011, accessed August 6, 2011 .
  24. UN investigates alleged cyber attack. In: The Nation Online. August 4, 2011, accessed August 6, 2011 .
  25. WADA disputes McAfee report that its system was hacked for a total of 14 months. In: VeloNation. August 4, 2011, accessed August 6, 2011 .
  26. The great hack. In: Financial Times Germany. August 3, 2011, archived from the original on August 3, 2012 ; Retrieved August 5, 2011 .
  27. DATEV: Not affected by Operation Shady Rat. In: Golem.de. August 4, 2011, accessed August 5, 2011 .