Sections

Services

Information

UK United Kingdom

World’s biggest-ever cyber attacks uncovered – and it’s only the beginning

It’s official: we have entered a brave new world. On Tuesday (US time), IT Security company McAfee announced the discovery of the most extensive hack-attacks ever seen, which the company referred to as…

At least 72 major organisations were hacked in “Operation Shady Rat”. Gilderic (Recovering)

It’s official: we have entered a brave new world.

On Tuesday (US time), IT Security company McAfee announced the discovery of the most extensive hack-attacks ever seen, which the company referred to as “Operation Shady RAT".

The unprecedented series of attacks was conducted over a five-year period against at least 72 major organisations, including:

  • The governments of the United States, Taiwan, India, South Korea, Vietnam and Canada
  • The Association of Southeast Asian Nations (ASEAN);
  • The International Olympic Committee (IOC)
  • The World Anti-Doping Agency

In many ways, these attacks shadow the recent cyber attacks against Sony and others by groups such as LulzSec and Anonymous.

We are only just starting to see the scale that networked effects can create. Beneficially, network effects have created great new means of connecting people across the globe and in opening new markets.

At the same time, espionage groups have also used this model extremely successfully to infiltrate countless systems and to steal immeasurable quantities of extremely valuable information.

Trade secrets, business processes, early unpatented research – all this and more have been stolen. Although we are unlikely to ever really know, all fingers, it would seem, point squarely at China.

James Lewis, a cyber expert with the Center for Strategic and International Studies in America, was briefed on the discovery by McAfee.

He said some of the targets of the concerted cyber campaign had information that would be of particular interest to Beijing.

“It could be the Russians, but there is more that points to China than Russia,” he said.

America and Britain have capabilities to pull off this kind of campaign, he added, but: “We wouldn’t spy on ourselves and the Brits wouldn’t spy on us.”

We are entering a new stage in history. Just as Web 2.0 and the surge of social media have created new paradigms, distributed attacks based on networks of compromised computers will create new headaches – migraines even – for organisations globally.

The question we have to ask is: was Operation Shady RAT something out of the blue, or is this just a sample of what we can expect to occur more and more in the future?

The simple answer is that we can expect these attacks to not only continue, but to keep growing in scale and intensity.

This is only the beginning. Security governance expert and instructor at IT security organisation SANS, Benjamin Wright, said:

“Cyber security has become bigger than a risk/reward or return on investment analysis can convey. It’s now mission critical.

“From the perspective of a board of directors, achieving genuine security is like hiring a top executive. Do it right and the company thrives; do it wrong and the company suffers dearly.”

We have been complacent. We look at security theatre and add bells and whistles while forgetting the basics and fundamentals.

We look to compliance regimes that allow managers to say they have done a good job when the holes in their systems allow criminals, intelligence agents and others into their networks and secrets.

Operation Shady RAT has exceeded Operation Aurora – a cyber security discovery by McAfee in early 2010 – in size and scope, but it is not going to be the biggest espionage-based network of this decade.

State-based espionage brings cyber attacks into everybody’s living room and makes us all complicit.

We fail to care in the ill-conceived belief that we are small enough not to matter. We are forgetting that we have access to work email accounts, portals and more.

Each computer, be it home, corporate or government-based, adds to these networks and increases the network effect they deliver.

Each attack provides the relevant cyber crime organisation with a competitive advantage they did not earn and damages the economy of the country these secrets have been stolen from.

We have already seen botnets estimated to have more than 10 million computers. But this will pale into insignificance compared to what we can expect in this coming decade.

As SCADA and other critical information control systems come online, it will not only be our secrets that are at risk, but even lives.

Last year’s notorious super-virus Stuxnet started a new trend in SCADA-based malware.

This was used to attack nuclear control systems in Iran, but we can expect this to be the first of many.

In time, we can expect to see water, power and even rail systems targeted and with this the general population will be at risk as critical infrastructure fails.

Maybe this attack is the wake-up call we’ve all been waiting for.

Join the conversation

22 Comments sorted by

  1. Shozaburo Takitani

    Internet Activist

    You claim the McAfee article as if it is a source of peer reviewed literature. McAfee are a software company with a vested interest in security.

    Botnets have been around for a significant amount of time and are operated by nation states, criminal organisations and even Anonymous. It's not as if this is anything new or anything the InfoSec community hasnt known about for a significant period of time.

    Whilst I don't doubt that there is a serious issue with digital security, getting this information…

    Read more
    1. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Shozaburo Takitani

      Shozaburo, I have to comment on your quote first of all. That was: "The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut."
      That is an incredibly dated version of security. One of the primary aspects of security is Availability. A system buried in concrete has no use and is not secure as it is not available. If the NCIC database was not open to be accessed from law enforcement all over the US, it has no purpose. Internet banking with a DDoS…

      Read more
    2. Shozaburo Takitani

      Internet Activist

      In reply to Craig S Wright

      Craig,

      Firstly, Having anything open, or available, is inherently insecure. There is nothing to stop a rogue cop from finding flaws in NCIC and exploiting them. I agree that it would be difficult to do it, but not impossible. A DDoS, while annoying, is not what i would call a security issue unless it is being used as a decoy to mask any actual security breaches. The point of the quote was not to say that we have to bury our computers in concrete, it was to say that with enough effort, anything is…

      Read more
    3. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Shozaburo Takitani

      "Having anything open, or available, is inherently insecure."
      It is a shame that you feel this way, there are many secure systems that are open. Using monitoring and other controls allows one to access information related to ones needs when also stopping access to toher information.

      "A DDoS, while annoying, is not what i would call a security issue unless it is being used as a decoy to mask any actual security breaches. "
      Against an airtraffic control system? The call database for the Ambulance…

      Read more
    4. Shozaburo Takitani

      Internet Activist

      In reply to Craig S Wright

      "It is a shame that you feel this way, there are many secure systems that are open..." I feel this way because with the network being open, it is insecure by default. Sure there are checks and balances etc, but for every good sysadmin out there, there are orders of magnitude more inept ones.

      "Against an airtraffic control system? The call database for the Ambulance service..." I contend that if you have essential services running on a public network, then you are ripe for a DDOS and if in a full…

      Read more
    5. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Shozaburo Takitani

      ""It is a shame that you feel this way, there are many secure systems that are open..." I feel this way because with the network being open, it is insecure by default. "

      So, Google is insecure by default. It is open. Logically, it must be insecure.

      Security is about a risk assessment and valuing the data based on the relative needs.

      report
  2. Bruce Baer Arnold

    Assistant Professor, School of Law at University of Canberra

    The claims made by McAfee (a body with a strong commercial interest in talking up anxieties) have not been independently verified and by their nature are unverifiable. Claims that the digital sky is falling have been echoing for at least a decade and prophecies of imminent 'cybergeddon' are getting a bit long in the tooth . The concerns are real but they are not NEW and we should be wary about uncritical reception of commercial media releases packaged as research.

    The big question is not whether…

    Read more
    1. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Bruce Baer Arnold

      "The answers include education and legal mechanisms "

      Please explain the legal methods? Just how does a site in Australia make a botnet stop. One where the source is unknow and with an array of compromised hosts globally.

      report
  3. Bruce Baer Arnold

    Assistant Professor, School of Law at University of Canberra

    There's a large literature on law (civil and criminal) regarding information security. That literature's readily accessible ... readers might choose to do some exploring rather than receiving a potted lecture on "legal methods". National and international law has some value in shaping how we deal with botnets. (Law's part of an overall response, rather than the total solution, just as consumer education, effective policing by law enforcement agencies and improved products from IT solutions vendors are a part).

    report
    1. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Bruce Baer Arnold

      "There's a large literature on law (civil and criminal) regarding information security. That literature's readily accessible ."

      Yes, and how much effort does it take to takedown a botnet Internationally? Please explain just why it is so easy.

      When you are there, explain why so few cases exist.

      report
  4. Bruce Baer Arnold

    Assistant Professor, School of Law at University of Canberra

    The wording is "The answers include education and legal mechanisms (including law that does not give a blank cheque to cybercops or acts as a cheerleader for agile cybersecurity publicists) and provision of better products from the IT sector". There's no implication that law is the only answer or that it is simple. Again, you may wish to reread the preceding statements.

    There's a very large literature on law as part - an important part but not the only element - of responses by consumers, governments, communication providers and other businesses to a range of online ills. Among the most recent is the Schactman document at http://www.brookings.edu/~/media/Files/rc/papers/2011/0725_cybersecurity_shachtman/0725_cybersecurity_shachtman.pdf

    There are some excellent law teachers at Charles Sturt who can brief you on law's relevance, even if you can't get across to study at UC. I'll leave it at that

    report
    1. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Craig S Wright

      That did not paste well....

      As stated, I have an LLM. What postgrad law and experiance in forensics over 20 years and time in court rooms has taught me is just how ineffective the legal route is right now.

      Less than 1% of 1% of cybercrime is ever investigated and the frequency of international prosecutions....

      Actually, Venezuela for instance - nothing despite huge volumes of child porn and fraud online. Not a single international arrest let alone extradition or prsecution ever.

      It does not seem too effective really.

      report
  5. Bob Constable

    logged in via Facebook

    While I am not as qualified as you Craig or the other commentators (although I’m not sure what qualifications are required for an Internet Activist) I would like to offer these observations.

    You say “It’s official: we have entered a brave new world.” Well its really not that new, your article says it’s at least five years old. Its really the same old world where Governments and criminals always adopt new technologies for their own benefit.

    No matter how many firewalls, passwords, encryption or…

    Read more
    1. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Bob Constable

      Bob,
      First, the thing most people get mixed up on is the notion of absolute security. In a notion of absolute security you are correct Google is not safe etc. The issue is that this concept is false. Security, being a risk function, is about minimising costs and hence only relative security can be considered. Spending more than the cost of the data to secure it is not securing in reality as you have already exceeded the value at risk of the data.

      The “It’s official” was added by the editor, the…

      Read more
    2. Shozaburo Takitani

      Internet Activist

      In reply to Bob Constable

      Whilst I wont go into my university degrees, the qualifications required are a passion for technology, a desire to see the people have access to an internet free of censorship and a desire to help people in countries whose civil liberties are trodden on by getting their voices heard.

      Most people have a phone with a camera on it, we facilitate those images getting out into the public and we maintain technologies such as VPN's, Tor nodes, i2p gateways, HAM radio & international faxes so that they have the ability to speak to whoever will listen.

      How else do you think the images & video from Syria, Egypt, Libya etc get out?

      Hopefully you're using https with your facebook login.

      report
    3. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Shozaburo Takitani

      "Hopefully you're using https with your facebook login."

      The shame is that FB has not make this the default. You can opt to type and use https://... but they still allow you http://...

      What should be the default is SSL on all access.

      One day we hope.

      The idea of Tor, onion nets etc is wonderful, but this is a hell of a lot different then actively attacking systems.I actively support these networks, but how is supporting systems that allow one to get a message from a repressive regime the same as attacking a corporation?

      report
    4. Shozaburo Takitani

      Internet Activist

      In reply to Craig S Wright

      I believe the new iteration of Firefox may make this the norm, bit dont quote me on that. In any case i use the brilliant HTTPS_everywhere extension for firefox and that way i dont even have to think about it. But then when dealing with people that are not as technically savvy as you or I, its hard to get the point of things that are as important as that across.

      Lots of people put their whole lives on facebook, yet fail to use https, but would be outraged at the bank not having a secure encrypted…

      Read more
    5. Craig S Wright

      PhD; Adjunct Lecturer in Computer Science at Charles Sturt University

      In reply to Shozaburo Takitani

      Shozaburo,
      Activism is more than fine. Placing one’s self and own reputation is more than OK in my view. Attacking another is not.

      Back in the early 90’s I managed to cause myself a good deal of trouble many times. I wrote a 128bit encryption patch for Internet Explorer and released this in Australia. The result was a great deal of consternation from the US who believed that only the US could have good encryption back then. I even managed to get a detain order for that. It was difficult to get…

      Read more