Operation Shady RAT

During early August 2011, it was revealed that the governments of the United States, Canada and South Korea, along with the UN, the International Olympic Committee and 12 US defense contractors were hacked during a five-year campaign known as “Operation Shady RAT.” Security experts commented that this was likely the biggest series of cyber-attacks to date, as the networks of at least 72 organizations across 14 different countries were successfully infiltrated.

What happened?

McAfee first discovered the infiltration in 2009, when they came across a command-and-control server which was being used by the hackers for directing the remote administration tools (RATs). The earliest breaches date back to mid-2006, though it’s highly likely that there might have been other undetected intrusions.

The RATs were installed in victim organizations thorough spear-phishing techniques that are currently commonplace. Legitimate e-mails were sent to employees of the target organizations. The emails contained attachments that had exploit code, typically zero-day attacks, that compromise the employee’s system. Hackers then took advantage of the compromised computers to install RAT software, which permitted long-term monitoring, collection of credentials, network probing and data exfiltration.

This attack technique has been seen numerous times. For instance, this same pattern was repeated to break into RSA, the French and Canadian Finance Ministries and numerous oil and gas companies this year. Notably, it was also used during the Operation Aurora attacks in late 2009.

According to Dmitri Alperovitch, McAfee’s vice president of threat research:

“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators. What is happening to all this data… is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

McAfee reported that the total data stolen through Operation Shady RAT amounted to petabytes. The targets included governments; technology and defense companies; nonprofit sports bodies; and think tanks. McAfee points out that given the targeting of think tanks, the attacks were most likely perpetrated by a state actor, since the commercial value of sports bodies is relatively low.

Currently, McAfee is working with US government agencies to attempt to shut down the command-and-control server. The firm is also working with the victims, specifically, informing them of the attacks and offering assistance with their response efforts. Surprisingly, some victims continue to deny the attacks, though they have been presented with significant evidence to the contrary.

The parties responsible?

Jim Lewis, a cyber expert with the Center for Strategic and International Studies said that it was highly likely that China was behind the campaign, as some of the targets had information that would have been significant to Beijing. He pointed out that the presence of the International Olympic Committee and the Taiwanese government indicates China’s involvement. Speaking to Reuters, Lewis said, “Everything points to China. It could be the Russians, but there is more that points to China than Russia.”

In response to these allegations of state-sponsored hacking, the Google Chinese spokesman Hong Lei commented, “Hacking is an international problem and China is also a victim. The claims of so-called support for hacking are completely unfounded and have ulterior motives.”

According to McAfee’s Operation Shady RAT white paper:

“[The attacks have] been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate… This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.”


This article takes a look at Operation Shady RAT, a five-year hacking attack that targeted 14 different countries and at least 72 different organizations. Included in the victim list were governments; technology and defense companies; nonprofit sports bodies; and think tanks. Hackers used RATs (remote administration tools) to facilitate long-term monitoring, collection of credentials, network probing and data exfiltration of victim organizations.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy Concerns – Organizational Practices (II.A.b.)
  • Government and Citizen Surveillance (II.A.k.)
  • System Monitoring (II.A.l.)
  • Privacy-Enhancing Technologies (III.B.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>