The attacks are continuing, McAfee says, but the sobering news is that the C&C server is just one of many.
"This is only the tip of the iceberg," report author Dmitri Alperovitch, VP of threat research for McAfee Labs said in a press conference. "We know there are hundreds or maybe thousands of servers used by this actor."
The victims include a wide range of entities. Of the 72 compromised organizations, 49 are in the United States, with the rest divided among a number of Canadian, European and Asian organizations. Among the victims were 14 U.S. government (six federal, five state and three county) agencies, as well as Canadian and Asian government and the United Nations. Thirteen defense contractors were victimized, and the communications, IT and electronics industries were hard hit.
"All this intellectual property going out the door is not just a threat to national security in terms of our country’s secrets stolen by our adversaries," said Alperovitch. "It’s also about our economic security. All these industries will feel impact of all their R&D being stolen and potentially recreated in other countries, and being marketed as cheaper and better goods."
All but a few of the organizations remain anonymous at their request, along with the precise nature of the information stolen. McAfee says the organizations were all informed of the details of the breaches. Law enforcement and other appropriate agencies were notified, and White House and Congressional staff were briefed.
McAfee characterizes these intrusions as true examples of advanced persistent threats (APTs), demonstrating that these types of targeted, enduring attacks seeking intellectual property and government/organization secrets are not new, even if the acronym is. Although nine of these intrusions lasted less than a month, the rest persisted during a number of months before they were terminated. Many lasted for more than 10 months, and the longest, against an Asian nation Olympic Committee, lasted 28 months.
The attacks followed a standard pattern, starting with a spear-phishing email containing an exploit sent to a key individual in the organization. The exploit on an unpatched system triggers a malware download. The malware opens a backdoor communications channel to a C&C server. Live intruders then use the compromised machine to escalate privileges, move out through the organization, and locate and exfiltrate the information they are seeking.
See more on this topic by subscribing to Network Computing Pro Reports Beware the SQL Injection (subscription required).