Massive cyber attack hit Canadian government, companies companies

tiffiant

Massive cyber attack hit Canadian government, companies

Two Canadian government agencies' computer systems were infiltrated as part of a massive global cyber attack that spanned at least five years and was likely perpetrated by a foreign government, a report released Wednesday says.


The Canadian government was among 72 organizations, including the United Nations, U.S. government, defence contractors and other international companies, that are said to have been compromised.


Security company McAfee, which uncovered the security breaches, said Wednesday it believes there was one "state actor" behind the attacks but declined to name it, though one security expert who has been briefed on the hacking said the evidence points to China.


While specific victims were not named, the report said two government agencies in Canada had been targeted, as well as the Montreal-based World Anti-Doping Agency and a Canadian information-technology company.


The government agencies were infiltrated in October 2009 and January 2010, respectively. The former lasted for six months, while the latter ended after only one month.


The World Anti-Doping Agency was compromised for 14 months starting in August 2009 and the information technology company was infiltrated for four months in July 2008.


In January, the Department of Finance and Treasury Board confirmed hackers had accessed their networks by sending malicious emails to high-ranking department officials that contained a link to a webpage infected with a sophisticated virus. It then opened a pathway deep into the government networks and installed spy malware.


They also sent infected PDF files that, when opened, unleashed more malicious code to target and download government secrets.


The finance department posted a job notice in mid-July looking for a senior computer security specialist to fortify the department's network against further intrusions. As a measure of the urgency involved, bidding on the one-year contract, worth as much as $500,000, was limited to one week and open to only five companies. The department was also seeking a senior IT security analyst to carry out a network threat and risk assessment.


The Harper government has publicly downplayed the extent of the Ottawa breach, but a recent report cites a Jan. 31 government memo saying that "data has been exfiltrated and that privileged accounts have been compromised." It is not clear whether the memo is referring to finance, treasury or both.


The finance department Wednesday couldn't say for how long their systems were compromised, nor what level of access the hackers were able to obtain.


The Treasury Board said that "no classified Treasury Board Secretariat information was taken from the TBS network. Beyond that, we do not comment on the details of security-related incidents."


McAfee dubbed the attacks "Operation Shady RAT." RAT stands for "remote access tool," a type of software that hackers and security experts use to access computer networks from afar.


McAfee's vice president of threat research, Dmitri Alperovitch, said the compromises themselves were standard procedure for these types of "targeted intrusions."


Typically, what's called a "spear-phishing email" containing a corrupted file is sent to an individual with the right level of access at the company. When the victim opens the email, it triggers a download of the implanted malware which opens "a backdoor communication channel to the command and control web server."

tiffiant

The report said "this will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for."


In short, the RAT gets into the house, sniffs around for the tastiest crumbs, has a bunch of babies, and sets up shop — undetected.


The long list of victims in the five-year campaign also includes the governments of the United States, Taiwan, India, South Korea, and Vietnam; the Association of Southeast Asian Nations; the International Olympic Committee (IOC); and an array of companies, from defence contractors to high-tech enterprises.


In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly two years, and quietly combed through reams of secret data, according to McAfee.


"Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators," said Alperovitch.


The activist groups Anonymous and Lulz Security have recently grabbed the spotlight for temporarily shutting down some high-profile websites and defacing others.


But attacks like Operation Shady RAT are far more costly and often undisclosed, as victims fear reputational damage or attention from other hackers. McAfee sees Operation Shady RAT as the tip of the iceberg.


"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact," Alperovitch wrote in the report.


"In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know."


"What is happening to all this data . . . is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat."


McAfee learned of the extent of the hacking campaign in March this year, when its researchers discovered logs of the attacks while reviewing the contents of a "command and control" server that they had discovered in 2009 as part of an investigation into security breaches at defence companies.


Some of the attacks lasted just a month, but the longest — on the Olympic committee of an unidentified Asian nation — went on and off for 28 months, according to McAfee.


"Companies and government agencies are getting raped and pillaged every day. They are losing economic advantage and national secrets to unscrupulous competitors," Alperovitch told Reuters.


"This is the biggest transfer of wealth in terms of intellectual property in history," he said. "The scale at which this is occurring is really, really frightening."


Alperovitch said that McAfee had notified all 72 victims of the attacks, which are under investigation by law enforcement agencies around the world. He declined to give more details.


Jim Lewis, a cyber expert with the Center for Strategic and International Studies who was briefed on the hacking discovery by McAfee, said it was very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing.


The systems of the IOC and several national Olympic Committees were breached in the run-up to the 2008 Beijing Games, for example.


And China views Taiwan as a renegade province, and political issues between them remain contentious even as economic ties have strengthened in recent years.


"Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.


McAfee, acquired by Intel Corp. this year, would not comment on whether China was responsible.

tiffiant

Security company McAfee, which uncovered the intrusions, said it believed there was one "state actor" behind the attacks but declined to name it, though one security expert who has been briefed on the hacking said the evidence points to China

Lik

I wonder what Peter boy has to say about the Grandfather connection...

-Lik