Operation Shady RAT Pointing the Way

Cyber-criminals will inevitably launch attacks on small and medium sized businesses in the near future using the same techniques employed by hackers in Operation Shady RAT to compromise more than 70 global companies and governments, security experts believe.

Discovered by Santa Clara, CA-based security company McAfee, Operation Shady RAT appears to have been a concerted effort over a period of at least five years to compromise computers in targeted organizations with the intention of stealing national secrets, software source code, email archives, document stores, and any type of useful intellectual property (IP), according to Dmitri Alperovitch, a McAfee threat researcher.

In some cases organizations’ computers were compromised for more than two years before the hackers were detected. The identity of the hackers is not known, but based on one of the techniques used and the targets that were selected, some security experts believe that the Chinese government is behind the attacks.

“The evidence is compelling and the victimology is telling,” said Harry Sverdlove, CTO of Waltham, MA-based security company Bit9. “The Chinese government is either directly or indirectly behind Operation Shady RAT.” Read more about Sverdlove’s rationale at his blog.

McAfee identified 71 organizations compromised by Operation Shady RAT, as well as evidence that an even greater number had been hacked, and Alperovitch believes that similar operations are already widespread.

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: Those that know they’ve been compromised and those that don’t yet know,” he said in his report on Operation Shady RAT.

But victims of intellectual property theft won’t be restricted to global businesses in strategic industries in the future, Sverdlove believes and, because the barriers to entry are lower, the hackers will be simple criminals rather than governments or hackers with state backing.

“I think we will absolutely see more and more companies lower down the economic food chain becoming victims, if they have anything of value,” he told eSecurityPlanet. “If you are building a better widget [than] your competitor, a criminal organization will steal your secrets for them. More and more smaller scale entities will be targeted.”

What sets Operation Shady RAT apart from typical virus infections or intrusions is the hackers involved appear to have been thinking long term; accessing the computers that they compromised over periods of months or even years rather than carrying out smash-and-grab raids to steal as much as they could as quickly as possible for immediate financial gain.

The first stage of each attack appears to have used the technique known as spear phishing. This involves discovering the name and email address of an individual within the targeted organization, and sending them a “weaponized” email — a message with a Word, Excel, PowerPoint or PDF attachment containing malicious code. The message will usually involve an element of social engineering, such as the promise of important information relevant to the individual who has been targeted, to entice them to open the attachment.

Hon Lau, a researcher at Mountain View, CA-based security firm Symantec cites recent example attachments with names that include Participant_Contacts.xls, 2011 project budget.xls, and Contact List -Update.xls. When the targeted individual opens the attachment the malicious code executes, installing and running a Trojan horse program, as well as opening a document to avoid suspicion. The Trojan then contacts a “command and control” server where it can receive instructions.

Symantec research shows that the addresses that the Trojan contacts are often those of image files or html webpages, which are then returned to the Trojan; probably because most companies’ firewalls are configured to accept image files or webpages over http connections. If they didn’t then it would be impossible for employees to browse the Web.

These images or webpages are also “weaponized:” Images contain instructions for the Trojan hidden in the bits that make up the image, while webpages contain encrypted instructions in comments on the Web that appear meaningless to the naked eye but which can be decrypted by the Trojan.

The instructions may direct the Trojan to:

  • Download and run a program from a specified address — perhaps to compromise the computer further, install software such as hacking tools that the hacker wants to use later, or find and compromise other machines on the victim organization’s network;
  • Do nothing for a set amount of time and then re-contact the command and control server; or
  • Establish a connection with the hacker so that they can take over direct control of the computer remotely.

The ultimate aim will likely be to discover and compromise all valuable computers in the network without detection, and to install multiple backdoors so that the hackers can still access compromised machines even if the original Trojan is detected and removed

Given that espionage is often said to be the world’s second oldest profession, it’s perhaps not surprising that hackers are after secrets rather than a quick buck.

So what can you do stop it, you’ve no doubt been asking yourself?

Symantec’s Hon Lau has some general advice to help you to protect yourself against this and similar attacks:

  • Use email filtering to catch weaponized email attachments before they have a chance to compromise your organization.
  • Ensure your operating system and all application software are fully patched to minimize the chances that a weaponized attachment will find a vulnerability to exploit.
  • Ensure your antivirus software is up to date and active. Even if the malicious software that hackers attempt to download to your machine is new and unrecognized, an antivirus product which uses a cloud-based reputation system may be able to protect you.
  • Use an intrusion prevention system (IPS) on your endpoints to help detect any suspicious behavior.
  • Educate end users in your organization about these types of attacks, and the reasons why they should be careful about opening any email attachments unless they are absolutely sure of their origins.

Bit9’s Sverdlove concludes with this stark warning: “Operation Shady RAT is a wake-up call. You should be thinking about security now even if you think that you are small enough to be safe.”

Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.

Paul Rubens
Paul Rubens
Paul Rubens is a technology journalist based in England, and is an eSecurity Planet contributor.

Top Products

Top Cybersecurity Companies

Related articles