Operation Shady RAT

Operation Shady RAT (English, about " dodgy rat " or " hidden remote access " ) is the name for hacker attacks, in which from about 2006 to 2011, at least 72 companies, organizations and governments have been systematically spied world. Dmitri Alperovitch, an employee of the U.S. computer security firm McAfee, coined the term, based on the English term Remote Access Tool ( Remote access software) refers.

Uncovering

On 2 October 2011, the beginning of " Black Hat " conference in Las Vegas, Dmitri Alperovitch published in an official blog of McAfee a fourteen- page report in which he summarized the known McAfee since March 2011 Facts, auflistete 72 goals of hackers, and a graphical representation of attacks since 2006 offering. He classified them as the Operation Aurora and Night Dragon operation that emanated from China, as Advanced Persistent Threat and so. Much larger threat for countries and companies when they go out about groups like Anonymous or LulzSec Alperovitch informed the U.S. government, Congress and law enforcement authorities of his discovery.

Assessment

While Alperovitch the attacks described with Operation Shady RAT "unprecedented " referred to as the data loss einschätzte as an economic threat by companies or whole countries and the question of national security posed, the security researchers of other companies such as Symantec, Kaspersky and Dell SecureWorks were in their Showing reserved. Details of the extent of data loss are not yet known and the technological sophistication of the attacker is not as high as first thought. The Symantec researcher Hon Lau assessed the operation Shady RAT, although as "significant," but only as " one of many attacks that take place every day ." Eugene Kaspersky summarized the attack was overrated and do not deserve much attention. They had been carried out with cost-effective software not by a state but by criminals.

Approach, the attacker

2009 McAfee had identified a central control server on which logs the attacks took place and could be traced to the middle of 2006. Maybe they had already started earlier and continued in the summer of 2011 still on. Additions to the respective computer systems have been achieved with the help of spear phishing emails. In this case, e- mails, acting in their correct presentation hardly to be distinguished from a legitimate message as opposed to other phishing emails sent to addressees who already have access to the attacked network. They contain malware that ensures that the attacker can now control the infected computer from the outside. An analysis of the software company Symantec According attachments were sent with the e- mails first, which aroused the interest of users and were held in common formats. They contained malicious code in the form of Trojan horses, which prompted the infected computer to download pictures, in which by means of steganography other commands were hidden for remote access.

Assaulted organizations

At least 72 organizations were attacked; of many more took to the McAfee, without being able to identify exactly. Among them are authorities in the United States, Canada, India, Asian Nations, the Association of Southeast Asian Nations ( ASEAN), the United Nations, the International Olympic Committee, as well as various companies, one of them in Germany. The majority, in 49 cases, the attacks against American targets directed. The focus was on the electronics and defense industries. The attackers were between one and 28 months in the compromised systems.

With the stolen or illegally copied data, it should, according to Alperovitch consist inter alia of secret information from the authorities concerned, the source code for software, plans for oil and gas exploration, treaty texts and emails. The volume had to settle petabyte. A petabyte of storage capacity equal to 1000 commercial disks, depending one terabyte.

Possible offenders

McAfee has been suggested that the cyber attacks by government bodies went out, however, without being specific. They differed, so Alperovitch, through their search for secrets and intellectual property of the usual motivation cyber criminals who sought a quick financial gain. The interest in information from Western and Asian Olympic Committee and the World Anti-Doping Agency in connection with the 2008 Summer Olympics speak for a state in the background, as this information could not be converted directly into commercial success. Suspected Jim Lewis of the Washington Center for Strategic and International Studies, China, the host of the 2008 Olympics, was behind the attacks. The malware researcher Joe Stewart of Dell SecureWorks to confirm a Chinese origin succeeded. He discovered that the attackers a ten- year-old program called HTran ( HUC Packet Transmit Tool) used that a Chinese hacker had developed in order to disguise the origin of attacks from China can. Whether the Chinese government was involved in the attacks, remains open.

Reactions

A statement by the Chinese government failed to materialize, however, pro-government media such as the newspaper Renmin Ribao denied a state perpetration of China. A week after the disclosure of cyber attacks, the Chinese government announced that she herself was a victim of a 2010 half a million of such attacks in the year have been, were made of which nearly fifteen percent over IP addresses from the U.S.. However, the respective country of origin of the attacks could not be determined with certainty from the assignment of IP addresses.

The Canadian Minister of Public Works and Public Service, Rona Ambrose, announced three days after the first publication about Operation Shady RAT, to want more than 100 state e- mail systems to reduce to 20 and merge 3000 networks. You promised them both a reduction of the potential attack surface, as well as a saving of costs. Even Janet Napolitano, the Secretary of Homeland Security of the United States, confirmed that he checked the report from McAfee. Furthermore, the United Nations Office in Geneva and began the World Anti-Doping Agency to check whether the hacker attacks described had taken place. The latter stated, however, to have a sophisticated security system. There would be no reason to assume that hackers have had access to sensitive data.

In Germany, the Federal Office for Security in Information Technology was announced to examine the Alperovitchs report. Dieter Kempf, president of the industry association Bitkom the German IT industry, called for an expansion of in June 2011 the newly established National Cyber ​​Response Centre and closer cooperation between industry and government agencies. DATEV denied to have one of the targets of the attacks.