Massive global cyberattack hits US hard: Who could have done it?

Cybersecurity firm McAfee says it infiltrated a 'command and control' server with detailed logs of five years of cyberattacks against targets ranging from the US government to the World Anti-Doping Agency. McAfee suggests a country was behind it. Experts suspect China.

This screen shot shows the McAfee website. A computer security firm says cybercriminals have spent at least the past five years targeting more than 70 government entities, nonprofit groups and corporations to steal troves of data.

AP

August 3, 2011

Cyberspies believed to be working for a national government for the past five years have stolen vast amounts of classified, sensitive, or proprietary information from at least 72 companies and government and nonprofit groups in 14 countries, with the bulk of the victims in the United States, a major cybersecurity firm is reporting.

“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth,” the report’s co-author, Dmitri Alperovitch, a vice president of Santa Clara, Calif.-based McAfee, wrote on his blog.

Targets of the information theft included the US federal and state governments, county governments, and Canadian, South Korean, Vietnamese, Taiwanese, and Indian governments. Among other targets: defense contractors, the United Nations, prodemocracy groups, and individual companies in the steel, energy, solar power, electronics, and computer security industries.

What distinguishes this new report from others in the recent past is its level of detail, some cybersecurity experts said. In part that could be because the perpetrators created detailed logs of their exploits on a “command and control” server that McAfee was able to infiltrate.

“Closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts,... and much more has ‘fallen off the truck’ of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries,” Mr. Alperovitch wrote.

'Massive economic threat'

The impact of that loss represents a “massive economic threat” not only to companies and industries but whole nations that now could see diminished economic growth as the global competitive landscape intensifies – and jobs lost, according to McAfee's report, “Revealed: Operation Shady RAT.” RAT is an acronym for “Remote Access Tool.”

Unlike typical cybercriminals, McAfee says the cyberspies showed keen interest in nonmonetary information, infiltrating economic trade groups, think tanks and political and nonprofit groups – even international sports. Asian and Western national Olympic Committees were targets, as were the International Olympic Committee (IOC) and World Anti-Doping Agency – both hit in the months before and after the 2008 Olympics.

These latter instances “potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit” behind such hacks, the McAfee report said. The cyberspies also targeted the computer networks of political nonprofits, private Western groups that promote democracy, and a US national security think tank. Beside the UN, the ASEAN (Association of Southeast Asian Nations) was also hacked.

Even though McAfee did not name the country believed to be behind the attacks, their scope, targets, and technical skill left other cyberexperts strongly suspecting a nation frequently cited as the perpetrator behind many cyberespionage probes: China.

China at 'top of the list'

“China rises to the top of the list of nations that could do this," says James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington. "This fits precedent with other attacks we've seen. It's not conclusive, but who else cares this much about Taiwan?"

The McAfee report also cited but did not name a news organization whose New York and Hong Kong bureaus were targeted in 2009. The Associated Press, which was earlier reported to be the target of similar information grabbing attacks in the past, would not confirm the reports or comment on them, spokesman Jack Stokes told the Monitor.

Yet the vast loss of information to this particular cyberthief represents just a fraction of the total stolen each year from networks worldwide in what has become an enormous drain on the competitive edge that has long undergirded US and other developed nations' economies.

“This report only hints at the massive loss of information being downloaded each year,” says Scott Borg, chief economist of the US Cyber Consequences Unit, a research organization. “All the stuff being sucked out of these companies is a real worry. Not all of it is intellectual property, but it’s a lot of stuff nonetheless vital to these companies.”

Mr. Borg estimates the loss to such thefts at $6 billion to $20 billion annually for the US alone. That loss could be far higher, except that the perpetrators have a limited capacity to digest the specialized information and capitalize on it, he says.

The attacks uncovered by McAfee fit the pattern of other attacks attributed to Chinese hackers. Among the best documented came in March 2009 when Canadian researchers identified 1,295 computers in 103 countries infected by spyware and operated by a “GhostNet” or network of computers. Unlike many viruses that infect randomly, the compromised computers of GhostNet belonged to high-value targets like embassies and nongovernmental organizations. Their common thread was the foreign policy concerns of China, the report found.

In January 2010, Google reported that it and dozens of other companies had been victims of a hack it attributed to China. In February this year, McAfee reported that several multinational oil companies were victims of cyberespionage by Chinese hackers who downloaded sensitive data from their corporate networks, including the companies’ crown jewels – “bid data” detailing oil discoveries worldwide. In that case, McAfee fingered Chinese hackers as the likely culprits working on behalf of the government.

“We have strong evidence suggesting that the attackers were based in China,” McAfee's George Kurtz wrote in his blog at the time. “The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.”

In that report, McAfee did not identify the names of oil companies involved although other news organizations, including the Wall Street Journal, later reported the names of the five oil companies hit by the attacks.

That McAfee finding closely paralleled a January 2010 Monitor report that found cyberespionage attacks attributable to China had infiltrated computer networks belonging to at least three global oil giants – Marathon Oil, ExxonMobil, and ConocoPhillips. None of them realized the extent of the attacks that hit them in 2008 until the FBI alerted them that year and in early 2009, the Monitor reported at the time.

Chinese spokesmen routinely rebuff accusations of cyberespionage. In June, Chinese Embassy spokesman Wang Baodong denied to the Monitor any culpability for his nation for the hack involving Gmail.

“Hacking is an international problem and China is also a victim,” Mr. Wang said in an e-mailed comment. “As a responsible player in cyberspace, China strongly supports international cooperation in cracking down on unlawful activities. The claims of so-called Chinese state support for hacking are completely fictitious, and arbitrarily blaming misdeeds on China is irresponsible and unacceptable.”