A leading computer security firm has used logs produced by a single server to trace the hacking of more than 70 corporations and government organizations over many months, and experts familiar with the analysis say the snooping probably originated in China.
Among the targets were the Hong Kong and New York offices of the Associated Press, where unsuspecting reporters working on China issues clicked on infected links in e-mail, the experts said.
Other targets included the networks of the International Olympic Committee, the United Nations secretariat, a U.S. Energy Department lab, and a dozen U.S. defense firms, according to a report released Wednesday by McAfee, a security firm that monitors network intrusions around the world.
McAfee said hundreds of other servers have been used by the same adversary, which the company did not identify.
But James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said “the most likely candidate is China.” The target list’s emphasis on Taiwan and on Olympic organizations in the run-up to the Beijing Games in 2008 “points to China” as the perpetrator, he said. “This isn’t the first we’ve seen. This has been going on from China since at least 1998.”
Another computer expert with knowledge of the study, who spoke on the condition of anonymity out of reluctance to blame China publicly, said the intrusions appear to have originated in China. McAfee dubbed the intrusions “Operation Shady RAT,” with the acronym standing for “remote access tool.”
The intruders were after data on sensitive U.S. military systems, the McAfee report says, as well as material from satellite communications, electronics, natural gas companies and even bid data from a Florida real estate company. Forty-nine of the 72 compromised organizations were in the United States.
“We’re facing a massive transfer of wealth in the form of intellectual property that is unprecedented in history,” said Dmitri Alperovitch, McAfee’s vice president of threat research. He would not name the private entities targeted, but said McAfee helped half a dozen of them investigate intrusions.
Some of the intrusions — such as one into the World Anti-Doping Agency in Montreal — are continuing, he said. Spokesmen for that organization and for the International Olympic Committee said they were not aware of the intrusions. A U.N. spokesman said technicians analyzing the logs have not seen evidence of stolen data. The Energy Department had no comment.
Revealed: Operation Shady RAT (PDF)
Symantec: The Truth Behind the Shady RAT
In the Excel files, we have seen the old, but clearly still effective Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability (detected by Bloodhound.Exploit.306) being exploited. Once the file is opened on an unpatched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious. A Trojan is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart....Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography. These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image.