RAT Hacking Evidence fresh from the source

Previously, we have discussed the dangers of hacking and measures to take against an attack in the LulzSec blogs.  Now we will delve into a different aspect of the wide world of cybercrime.  We will not, however, look at a particular company or conglomerate that hacked different entities and organizations.  Instead, we will observe the findings of McAfee after they accessed a server that was used for attacks since 2006.  Operation Shady RAT, RAT, being short for Remote Access Tool, has introduced new evidence on the targets, motivations, and frequency of hacking that are summarized below.

Hacking Evidence from Operation Shady RAT

McAfee took possession of a server that had been utilized as a hacking device since 2006 and analyzed its contents revealing a large amount of information on attack trends and methods used by hackers.  On August 2, 2011, McAfee published their findings in a report titled, Revealed: Operation Shady RATAlthough recently there have been highly publicized attacks by Anonymous and LulzSec, these attacks are not new.

Upon the acquisition of a command and control server and the subsequent research into the logs of the server and tracing the attacks the results were shocking.  So surprising that even McAfee employees were surprised at the level of penetration, the wide scope of the assault, and the overall impudence of the intruders.  The perpetrators hacked into seventy-one different companies and organizations by using this server.

RAT Targets

The types of targets that Shady RAT attacked ranged the gambit.  These hackers attacked government agencies, but unusually these attacks were not just on American government agencies but worldwide government agencies.  Also, they hit a non-profit think-tank based in the United States.  These attackers even went as far as to attack Olympic committees of various countries.

Even still the vast majority of attacks were on worldwide government agencies, with a total of twenty-one different government bureaus across the globe being attacked.  In conjunction with the legislative findings, another high-risk industry was the defense contractors.   In fact, thirteen defense contractor attacks were coordinated through the command and control server in this study.

If the results of Operation Shady RAT are considered representative of other attacks, they could call into question some common assumptions held on the focus of attacks.  A common belief is that hacks primarily occur against the United States, Canada, and Europe.  While Operation Shady RAT showed the majority of attacks did occur in those regions, with forty-nine coming against organizations within the United States, four against Canada and six against Europe, ten attacks were focused on Asian countries.

Companies in Asian countries often get less attention in the media for hacks against them.  The underlining issue with the attacks carried out by this server is that since the range of companies and organizations is so broad, anyone could be vulnerable.  Protection is not an option for companies.  Everyone needs to be concerned with information security.

RAT Attack Types

Even more intriguing was the findings of the types of attacks used and the evidence of what attackers obtained or attempted to obtain.  The oft-cited motivation for hacking has been a commercial gain, but the same server was used for commercial hacks and hacks that had no commercial interest.

Hacktivism, hacking to promote a political agenda, is seen clearly in the attacks on the Olympics.  Interestingly, logs from the server outlining attacks on Olympic committees, especially in the time leading up to the 2008 Olympics.  Furthermore, attacks on the non-profit think tank also provide evidence that the hacks were not carried out by a group solely focused on commercial gain.

RAT Attack Frequency

Another interesting point made by the article is the frequency of the attacks and the amount of time the hackers remained in various organizations without detection.  There have been difficulties and controversies over the number of successful attacks that take place because organizations are reluctant to report incidents because of the potential loss of customer confidence.  Operation Shady RAT provides real data on the number of attacks that took place.  The data is limited to only the attacks that occurred on this one command and control server, but they are unfiltered by corporate PR departments.

In 2006 when this server began directing attacks, only eight organizations were infiltrated, however, by the next year that number had jumped to twenty-nine.  The regularity of the attacks continued to rise until it peaked in 2009 with thirty-eight attacks, and tapered off within the last two years.  Also, the amount of time spent within these companies and organizations is tremendous.  The rate of time spent within a company ranges from just one month to twenty-eight months.  For example, the hack on a South Korean construction company began in 2006 and lasted seventeen months without detection.  Meanwhile, the twelfth United States defense contractor was only under attack and infiltrated for one month.

Operation Shady RAT Conclusions

Upon a thorough reading of the findings of McAfee, we can now conclude that anyone is vulnerable to attack, not just government offices or major companies.  Also, due to the report, a better knowledge of the types of attacks is now out there and available.  Don’t think that you will not be attacked.  Hackers are targeting companies of all shapes and sizes.  Be prepared by implementing antivirus controls, layered security, security awareness training to guard against phishing and other common attacks, and incident response planning.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply