McAfee uncovers monolithic targeted attack campaign

Operation Shady RAT targeted more than 72 organisations, including the UN and the International Olympic Committee.


A huge targeted attack campaign, which lasted over five years and went after Governments as well as private businesses, has been reported by McAfee.

The security specialist said the attacks may have been state-sponsored due to a number of non-profit bodies being targeted. These included the UN and the International Olympic Committee.

Advertisement - Article continues below

The security giant identified 72 of the compromised parties, but many more were hit in the Operation Shady RAT attacks.

One UK computer security company was compromised for six months, whilst a defence contractor in this country was infected for a year.

Of those 72, 22 were Government organisations, including 14 US Government bodies. Another 13 were defence contractors.

Two of the targeted firms were from the UK, compared to 49 from the US.

One UK computer security company was compromised for six months, whilst a defence contractor in this country was infected for a year.

The attacks were typical targeted attacks, with spear phishing emails containing an exploit sent to workers within organisations.

"The exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code," said Dmitri Alperovitch, vice president for threat research at McAfee, in a blog post.

Advertisement - Article continues below
Advertisement - Article continues below

"This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organisation to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for."

A major US news organisation was compromised at its New York Headquarters and Hong Kong Bureau for more than 21 months, according to McAfee. The longest compromise hit the Olympic Committee of a nation in Asia, lasting 28 months.

"After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organisations and were taken aback by the audacity of the perpetrators," Alperovitch said.

"Virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm."

The majority of organisations hit have cleaned their systems of infection from the Operation Shady RAT campaign.

Earlier this year, McAfee reported on another wide-scale cyber attack targeting critical infrastructure - Operation Night Dragon.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020