Computer security company McAfee made quite a splash Wednesday with the release of a study covering five years of cyber attacks against at least 72 different organizations, including 22 government entities in the U.S., Canada, South Korea and elsewhere as well as 13 defense contractors. Other victims included the Asian and Western national Olympic Committees, International Olympic Committee (IOC), World Anti-Doping Agency, the United Nations and the ASEAN (Association of Southeast Asian Nations) Secretariat. Some victims' computer networks were compromised for years without anyone noticing.
The greatest threat to cyber security comes from those quietly stealing secrets and intellectual property as opposed to loosely organized, attention-seeking so-called hacktivist groups such as Anonymous or Lulzsec, according to Dmitri Alperovitch, vice president of threat research at computer security firm McAfee (which was bought by Intel in February) and the report's author. Whereas the cyber criminals making headlines are interested mostly in shutting down or defacing their victims' Web sites, the most dangerous criminals are absconding with guarded national secrets (including from classified government networks), source code, computer malware databases, e-mail archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations and design schematics.
Alperovitch argues that the national and industrial espionage carried out by these hacks poses serious economic and security threats well beyond the victims themselves. "This is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat," he wrote. Alperovitch called the five-year period of cyber attacks analyzed Operation Shady RAT (for "remote access tool," which could be a piece of Trojan horse software used to sneak malware onto a computer or network).
The identities of the victims helps provide some clues as to who perpetrated at least some of these attacks. Interest in the information held at the Asian and Western national Olympic Committees, as well as the IOC and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics, was "particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks," according to Alperovitch, who stopped short of pointing the finger at any particular country. Indeed, it is very difficult to trace hacks back to their original source.
The release of the Operation Shady RAT report coincides with the start of this week's Black Hat technical security conference in Las Vegas, where security firms spend several days presenting research to colleagues, government agencies and, as it turns out, hackers. Such presentations are at times controversial. In 2005, to provide just one example, a security researcher proceeded with a presentation highlighting flaws in Cisco's network routers despite being warned that such information would put countless networks at risk. Cisco subsequently filed a lawsuit preventing the researcher and Black Hat conference organizers from further distributing the material presented.
Regarding the dire implications of McAfee's revelations, it should be noted that while many computer security firms such as McAfee conduct research into security vulnerabilities, they also specialize in selling products designed to defend against those same vulnerabilities. This is not unlike the conflict-of-interest controversy that financial investment firms have faced for distributing favorable research or ratings for the very same investments they sell, although the buy and sell sides are supposed to operate independently.
Image courtesy of Yong Hian Lim, via iStockphoto.com