McAfee, RSA: the entire Fortune 500 is compromised

Advanced, persistent RATs have outdone enterprise defences.

Every major corporation harbouring valuable information has been compromised, but only some know it, according to executives at McAfee and RSA.

High-grade information stealing Trojans were already sitting inside the firewalls of almost all Fortune 500 companies, RSA’s head of technology, Uri Rivner said Tuesday. 

He described the so-called “ZeusiLeaks Effect” as “the pervasive use of high-grade Trojans used by thousands of petty criminals”.

“They are already operating inside the firewalls of almost every Fortune 500 company,” said Rivner.  “External attackers are infecting employee PCs, either deliberately or as a side-effect of financial fraud attacks.”

This was separate to the “advanced persistent threat” of the ilk that undermined RSA’s SecurID authentication system earlier this year, though that attack also relied on infecting an employee's desktop through a rigged Excel file. 

Both types of attack show that perimeter security such as anti-malware were failing, according to Rivner.

Companies would need technologies that detect and investigate threats already inside the company, where it is already assumed all end devices are infected, he said. Although he did not mention RSA’s recently acquired company NetWitness, it is one of RSA's product set that will provide such capability through “full packet capture” network forensics that sit alongside traditional security information and event management (SIEM) tools.

McAfee’s VP of Threat Research Dimitri Alperovitch broadly agreed with Rivner's comments that every major corporation has been compromised.

“I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” he said Wednesday, announcing McAfee's research into one group's activities over a five year period using a family of remote access tools (RAT).

McAfee's analysis of log files of a command and control server data it dubbed “Operation Shady RAT”, found that beginning in 2006 a single attacker had gained access to 72 organisations including government, defence contractors, industry, technology companies and trade organisations from South Korea, the US, Canada, Britain, Denmark, Switzerland, Japan, Indonesia, Vietnam, Hong Kong, Germany and India.

Alperovitch claimed the targets and timing of the attacks suggested they were state-sponsored.

“The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks,” he said.

The logs revealed that intrusions were kept to a minimum in 2006, with only eight recorded against a South Korean government agency and an energy research lab and several international trade organisations including the ASEAN Secretariat.

“That last intrusion began in October, a month prior to the organisation’s annual summit in Singapore, and continued for another 10 months,” noted Alperovitch.

The number of organisations the attackers were observing each year grew from eight in 2006 to 29 in 2007, 36 in 2008, and 38 in 2009, before dropping down to nine in 2011 -- an indication that remediation measures had been put in place.

Often the intrusions remained undetected over many months, ranging from two years to one month. A US satellite communications company, for example, was compromised in February 2009 and remained so for 25 months.

Join the CSO newsletter!

Error: Please check your email address.

Tags Fortune 500network forensucspacket captureanti-malwareDimitri AlperovitchSIEMrsaNetWitnessperimeter securitymcafeesecuritySecureID authenticationnewstrojanZeusiLeaks EffectRemote Access tools

More about ASEANetworkExcelInternational Olympic CommitteeIOCMcAfee AustraliaRSASwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts