Every major corporation harbouring valuable information has been compromised, but only some know it, according to executives at McAfee and RSA.
High-grade information stealing Trojans were already sitting inside the firewalls of almost all Fortune 500 companies, RSA’s head of technology, Uri Rivner said Tuesday.
He described the so-called “ZeusiLeaks Effect” as “the pervasive use of high-grade Trojans used by thousands of petty criminals”.
“They are already operating inside the firewalls of almost every Fortune 500 company,” said Rivner. “External attackers are infecting employee PCs, either deliberately or as a side-effect of financial fraud attacks.”
This was separate to the “advanced persistent threat” of the ilk that undermined RSA’s SecurID authentication system earlier this year, though that attack also relied on infecting an employee's desktop through a rigged Excel file.
Both types of attack show that perimeter security such as anti-malware were failing, according to Rivner.
Companies would need technologies that detect and investigate threats already inside the company, where it is already assumed all end devices are infected, he said. Although he did not mention RSA’s recently acquired company NetWitness, it is one of RSA's product set that will provide such capability through “full packet capture” network forensics that sit alongside traditional security information and event management (SIEM) tools.
McAfee’s VP of Threat Research Dimitri Alperovitch broadly agreed with Rivner's comments that every major corporation has been compromised.
“I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” he said Wednesday, announcing McAfee's research into one group's activities over a five year period using a family of remote access tools (RAT).
McAfee's analysis of log files of a command and control server data it dubbed “Operation Shady RAT”, found that beginning in 2006 a single attacker had gained access to 72 organisations including government, defence contractors, industry, technology companies and trade organisations from South Korea, the US, Canada, Britain, Denmark, Switzerland, Japan, Indonesia, Vietnam, Hong Kong, Germany and India.
Alperovitch claimed the targets and timing of the attacks suggested they were state-sponsored.
“The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks,” he said.
The logs revealed that intrusions were kept to a minimum in 2006, with only eight recorded against a South Korean government agency and an energy research lab and several international trade organisations including the ASEAN Secretariat.
“That last intrusion began in October, a month prior to the organisation’s annual summit in Singapore, and continued for another 10 months,” noted Alperovitch.
The number of organisations the attackers were observing each year grew from eight in 2006 to 29 in 2007, 36 in 2008, and 38 in 2009, before dropping down to nine in 2011 -- an indication that remediation measures had been put in place.
Often the intrusions remained undetected over many months, ranging from two years to one month. A US satellite communications company, for example, was compromised in February 2009 and remained so for 25 months.