As soon as Dmitri Alperovitch walked into a hotel suite at McAfee’s reception at the Black Hat security conference, he was surrounded by reporters from the New York Times, Reuters, and other publications. It was the logical end to a long day that began with a blog post by Alperovitch about Operation Shady RAT, a cyber-spying campaign that Alperovitch said was the “biggest transfer of wealth in terms of intellectual property in human history.”
Alperovitch, the vice president of threat research for McAfee, started the day in Omaha, Neb., where he was believed to be briefing U.S. government officials. His tale of investigating the cyber evidence, which began in earnest in March, was chronicled in a lengthy Vanity Fair (yes, not the sort of magazine you expect to see writing about cyber security) article that appeared Wednesday. He did interviews with CNN, NPR, and a bunch of other media. At Black Hat, the McAfee revelation was the talk of the day.
“They started calling me on my personal phone,” he told Joris Evers, a public relations official for McAfee. “How did they get my phone number?”
Evers said, “Maybe you should change it.”
This is not the sort of attention that most Black Hat news stories get. Some attendees were trying to debunk the story, saying there was no way that the ring was as vast as suggested. They thought it curious that Alperovitch named the operation himself, after a remote access tool that was used in the attack.
Alperovitch told Vanity Fair magazine, Reuters and others that the five-year spying campaign penetrated the computer networks of 72 governments and major corporations. Last week, Alperovitch briefed senior White House officials on Shady RAT. He talked to executive branch agencies and congressional committee staff. McAfee believes that the governments infiltrated by Shady RAT operatives include the United States, Taiwan, South Korea, Vietnam, and Canada. Others hit include the United Nations, the Olympic committees in three countries, and the International Olympic Committee. About 49 targets were in the U.S. A total of 13 defense contractors were hit.
“It came from a process of putting different pieces together, with a lot of cooperation,” Alperovitch said to me at the party.
Alperovitch picked up the first trail in the spying scheme in 2009, according to Vanity Fair, when a McAfee client in the defense industry found that its network had been penetrated.
The magazine wrote, “Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing email containing a link to a Web page that, when clicked, automatically loaded a malicious program — a remote-access tool, or rat — onto the victim’s computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data.”
McAfee identified the command and control server that launched the attack and blocked it. But only in March did Alperovitch discover there were logs of the attacks stored on the computer. That allowed McAfee to figure out who had been attacked and how the sequence of events unfolded. Curiously, none of the attacks took place in China.
Alperovitch said the evidence indicates a “state actor” perpetrated the sophisticated hacking plot, leading others to believe China — which Google blamed for Operation Aurora cyber espionage attacks — was behind the scheme.
I asked him if McAfee had an army of researchers poring over the details of the intelligence ring.
“No, it was just me and a small group,” he said. His post credited Adam Meyers for research help.
Asked why he didn’t name the country that did the spying, Alperovitch said, “We didn’t have the evidence. So we didn’t say.”