The massive cyber espionage operation disclosed by the security company McAfee began with its 2009 discovery of a suspicious command-and-control server.
The server contained logs showing the Internet Protocol addresses for the firewalls and email gateways of dozens of companies and organizations around the world.
Intruders possibly working for a “state actor” used this server to steal secrets from at least 72 victims in 14 countries, according to McAfee’s new report, “Revealed: Operation Shady RAT.” Rat is the cyber industry’s term for the remote access tools used by the intruders.
McAfee will not say which country it suspects might be behind the intrusions or provide details about the server, except to say it was located in a Western country and that the IP logs were acquired legally.
After the 2009 discovery, the company began quietly notifying law enforcement agencies and signing nondisclosure agreements with some of the victims. McAfee said it has briefed foreign governments, congressional staff members and White House officials.
Because of countermeasures, the Shady RAT intruders have adjusted their tactics, but their operation is “still going on today,” McAfee’s Dmitri Alperovitch, vice president for threat research, said in a teleconference with reporters in August.