Attack hits 70+ multi-national organizations and government entities
It doesn’t seem as though a week goes by without the report of another corporation’s computer network being hacked. Some of the attacks have focused on user’s personal information, specifically the LulzSec hacks of both the Sony intranet that released PlayStation Network user data and the UK’s National Health Service that exposed patient data.
In August a massive attack was revealed, dubbed Operation Shady RAT. In the software world, a RAT is a remote access tool that enables a user to administer another computer for afar.
McAfee discovered this intrusion, and found it had impacted more than 70 global companies, governments and non-profit organizations during the last 5 years.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact,” states Dmitri Alperovitch, vice president of Threat Research at McAfee in his report on the attack. “In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
Intrusion monitoring systems can help spot these types of attacks, but organizations should also shore up security by requiring the use of strong credentials. Operation Shady RAT and many other attacks were initiated by stealing a user’s login information through a phishing email. If strong credentials or one-time pass codes were in place many of these hacks could have been prevented.
Operation Shady RAT was a standard attack. A spear-phishing email containing malware was sent to an individual with high-level access at has or her company.
When the malware reached an un-patched system it initiated a backdoor channel to a Web server that was quickly followed by live intruders jumping on to the infected machine. They then escalated privileges, established new footholds via additional compromised machines and targeted key data.
This attack hit 71 organizations in 14 countries, from state and federal government to defense contractors, non-profits and corporations. “After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch states. “Although we will refrain from explicitly identifying most of the victims, describing only their general industry, we feel that naming names is warranted in certain cases, not with the goal of attracting attention to a specific victim organization, but to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.”
Nobody knows what happened to the data stolen, but Alperovitch states that it could pose a threat to national security. “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.”
McAfee states that the attacks were most likely state sponsored, but did not release what country might have been behind the attacks.
The threat to national security is a reason for the National Strategy for Trusted Identities in Cyberspace. An increase in fraud and identity theft poses a risk to national security and is a reason strong identity credentials are necessary, the strategy posits.
“Make sure that everyone coming in as a user has a strong identity,” says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto. “It could be a certificate-based PKI infrastructure or even an OTP which gives you a stronger posture than user names and passwords.”
Network vulnerability tools will also be necessary to protect and organization, but making sure only authorized individuals gain access to network information is also a necessity, Wizbowski says.
Organizations should use a risk-based approach to determine who has access to what systems. “Where there’s less risk most can use a one-time pass code device or application to gain access,” Wizbowski says. “When there’s privileged access and you’re talking about sensitive information, like people’s compensation, you need stronger authentication. And when it comes to privileged access–a super user or network administrator–you need to make sure that person has a much stronger ID.”
Network administrators, board members and executives all should be required to use strong identity credentials with verified identities, certificates and even a biometric element, Wizbowski says.