Command and control server reveals interesting details on bot usage


Previously, I have discussed the dangers of hacking and measures to take against an attack in the LulzSec blogs.  Now I will delve into a different aspect of the wide world of hackers.  We will not, however, look at a specific company or conglomerate that hacked different entities and organizations.  Instead, I will observe the findings of McAfee after they accessed a server that was used for attacks since 2006.  Operation Shady RAT, RAT being short for Remote Access Tool, has introduced new evidence on the targets, motivations, and frequency of hacking that are summarized below.

McAfee took possession of a server that had been utilized as a hacking device since 2006 and analyzed its contents revealing a great deal of information on attack trends and methods used by hackers.  On August 2, 2011, McAfee published their findings in a report titled, Revealed: Operation Shady RAT.  Although, recently there have been highly publicized attacks by Anonymous and LulzSec, these attacks are not new.

Upon the acquisition of a command and control server and the subsequent research into the logs of the server and tracing the attacks the results were shocking.  So shocking that even McAfee employees were surprised at the level of penetration, the wide scope of the attack, and the overall impudence of the intruders.  The perpetrators hacked into seventy-one different companies and organizations by using this server.

The types of targets that Shady RAT attacked ranged the gambit.  These hackers attacked government agencies, but unusually these attacks were not just on American government agencies but worldwide government agencies.  Also, they hit a nonprofit think-tank based in the United States.  These attackers even went as far as to attack Olympic committees of various countries.  Even still the vast majority of attacks were on worldwide government agencies, with a total of twenty-one different government bureaus across the globe being attacked.  In conjunction with the governmental findings, another high-risk industry was the defense contractors.   In fact, thirteen defense contractor attacks were coordinated through the command and control server McAfee obtained access to.

If the results of Operation Shady RAT are considered representative of other attacks, they could call into question some common assumptions held on the focus of attacks.  A common belief is that hacks primarily occur against the United States, Canada, and Europe.  While Operation Shady RAT showed the majority of attacks did occur against those regions, with forty-nine coming against organizations within the United States, fmy against Canada and six against Europe, ten attacks were focused on Asian countries.  Companies in Asian countries often get less attention in the media for hacks against them.  The underlining issue with the attacks carried out by this server is that since the range of companies and organizations is so broad, anyone could be vulnerable.  Protection is not an option for companies.  Everyone needs to be concerned with information security.

Even more intriguing was the findings of the types of attacks used and the evidence of what attackers obtained or attempted to obtain.  The oft-cited motivation for hacking has been commercial gain but the same server was used for commercial hacks and hacks that had no commercial interest.  Hacktivism, hacking to promote a political agenda, is seen clearly in the attacks on the Olympics.  Interestingly, logs from the server outlining attacks on Olympic committees, especially in the time leading up to the 2008 Olympics.  Furthermore, attacks on the non-profit think tank also provide evidence that the hacks were not carried out by a group solely focused on commercial gain.

Another interesting point made by the article, is the frequency of the attacks and the amount of time the hackers remained in various organizations without detection.  There have been difficulties and controversies over the number of successful attacks that take place because organizations are reluctant to report incidents because of the potential loss in customer confidence.  Operation Shady RAT provides real data on the number of attacks that took place.  The data is limited to only the attacks that took place from this one command and control server but they are unfiltered by corporate PR departments.

In 2006 when this server began directing attacks, only eight organizations were infiltrated, however, by the next year that number had jumped to twenty-nine.  The regularity of the attacks continued to rise until it peaked in 2009 with thirty-eight attacks, and tapered off within the last two years.  Also, the amount of time spent within these companies and organizations is tremendous.  The rate of time spent within a company ranges from just one month to twenty-eight months.  For example, the hack on a South Korean construction company began in 2006 and lasted seventeen months without detection.  Meanwhile, the twelfth United States defense contractor was only under attack and infiltrated for one month.

Upon a thorough reading of the findings of McAfee, I can now conclude that anyone is vulnerable to an attack, not just government offices or major companies.  Also, due to the report a better knowledge of the types of attacks is now out there and available.  Read through some previous postings to find how to protect yourself and your company.