Wednesday, August 17, 2011

#SECURITY: "China Implicated as Intruder by McAfee"

While never mentioning China by name, a recent McAfee report implicates China as the being behind a rash of malware intrusions into government and industry computers in search of state secrets, industrial designs and intellectual property.

McAfee, the Internet security provider, recently released a study that implicates China as being the state sponsor behind a rash of malware intrusions into government, industry and human-rights organizations computers, resulting in petabytes of state secrets, industrial designs and other intellectual property being stolen.

"The loss represents a massive economic threat not just to individual companies and industries but to entire countries," said Dmitri Alperovitch, vice president of Threat Research at McAfee, in his report entitled: Revealed: Operation Shady RAT.
While never specifically cited, China is implicated as the state sponsor of these intrusions into government computers of the United States, Canada, South Korea, Vietnam, Taiwan and the United Nations.

While the specific state actor behind a rash of malware intrusions is not specifically named, McAfee's recent report on Operation Shady RAT does cite all of China's traditional adversaries as victims, including the government of the U.S., Canada, South Korea, Viet Nam, Taiwan and the United Nations.

"Interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics [which were held in China] was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions," said Alperovitch in the report.

McAfee "gained access" to a so-called command-and-control server which was logging its intrusions into the computers which were infected with a spear-phishing email that was sent to individuals with access to the targeted computer systems. Once opened, the email triggered the download of malware that initiated a backdoor communication channel to the command-and-control server penetrated by McAfee. This server in turn interprets instructions that had been encoded into the hidden comments embedded in an infected webpage. This same method was used by Operation Aurora--the intrusion into Google's computers which triggered that company's threat to stop doing business in China back in 2010.

McAfee describes its report as "the most comprehensive analysis ever revealed of victim profiles from a five year targeted operation by one specific actor--Operation Shady RAT [a common acronym in the industry which stands for Remote Access Tool]."
McAfee describes the adversary as having been "motivated by a massive hunger for secrets and intellectual property" and describes its treasure trove of stolen documents as "nothing short of a historically unprecedented transfer of wealth--closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition [SCADA] configurations, design schematics and much more."

Further Reading