Security experts have discovered the biggest series of cyber attacks to date, involving the infiltration of the networks of 72 organizations including the United Nations, governments and companies around the world.
Security company McAfee, which uncovered the intrusions, said it believed there was one "state actor" behind the attacks but declined to name it, though one security expert who has been briefed on the hacking said the evidence points to China.
The long list of victims in the five-year campaign include the governments of Canada, the United States, Taiwan, India, South Korea and Vietnam; the Association of Southeast Asian Nations (ASEAN); the International Olympic Committee (IOC); the World Anti-Doping Agency; and an array of companies, from defense contractors to high-tech enterprises.
In the case of the United Nations, the hackers broke into the computer system of the UN Secretariat in Geneva in 2008, hid there unnoticed for nearly two years, and quietly combed through reams of secret data, according to McAfee.
"Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators," McAfee's vice-president of threat research, Dmitri Alperovitch, wrote in a 14-page report released on Wednesday.
"What is happening to all this data ... is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat."
McAfee learned of the extent of the hacking campaign in March this year, when its researchers discovered logs of the attacks while reviewing the contents of a "command and control" server that they had discovered in 2009 as part of an investigation into security breaches at defense companies.
It dubbed the attacks "Operation Shady RAT" and said the earliest breaches date back to mid-2006, though there might have been other intrusions as yet undetected. (RAT stands for "remote access tool," a type of software that hackers and security experts use to access computer networks from afar.) Some of the attacks lasted just a month, but the longest - on the Olympic Committee of an unidentified Asian nation - went on and off for 28 months, according to McAfee.
"Companies and government agencies are getting raped and pillaged every day. They are losing economic advantage and national secrets to unscrupulous competitors," Mr. Alperovitch told Reuters.
"This is the biggest transfer of wealth in terms of intellectual property in history," he said. "The scale at which this is occurring is really, really frightening."
He said that McAfee had notified all the 72 victims of the attacks, which are under investigation by law enforcement agencies around the world. He declined to give more details, such as the names of the companies hacked.
The report from McAfee, which bases its information on having taken over a "command-and-control" server used in the hack attack, mentions that four Canadian organizations - two of them government agencies - are known to have been victimized.
Intriguingly the only named Canadian entity that was victimized is the World Anti-Doping Agency, headquartered in Montreal, which is said to have been infiltrated for a period of 14 months starting in August 2009 - or one year after the Beijing Olympics. "The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks," the report says.
On Wednesday afternoon, the Montreal-based World Anti-Doping Agency (WADA) responded to the McAfee report by saying it was getting in contact with the U.S. company -- but had yet uncover any evidence that that its own servers had been hacked.
"At this stage, WADA has no evidence from its security experts of the intrusions as listed by McAfee and the agency has yet to be convinced that they took place," the anti-doping agency said in a statement.
WADA then added that its database of sensitive information resides on a completely different server than its email server. This precaution would, presumably, insulate the more sensitive data from hackers using emailed "spear-phishing" attacks -- a technique the Operation Shady Rat hackers are said to have embraced.
The other Canadian entities were infiltrated for shorter spans. The report says "Canadian Government Agency #1" was infiltrated in October, 2009, for a period of six months and "Canadian Government Agency #2" was infiltrated in January 2010 for one month. (Last winter it became public that hundreds of employees from two federal departments, Treasury Board and Finance, were being asked to use Internet cafés instead of government computers, following a significant breach of those departments' networks - though it's not clear whether these are the same two departments mentioned in the McAfee report.) The report also adds that a "Canadian Information Technology Company" was also victimized for four months starting in July 2008.
While Canada is listed as the country the second-most affected by the "Operation Shady Rat" attack, the four known incursions pale behind the 49 affected agencies headquartered in the United States. Fourteen U.S. government organizations and 12 U.S. defence contractors are said to have been hit.
McAfee says the logs it recovered indicate many more entities were attacked, but it wasn't able to determine the identities of all of them.
Jim Lewis, a cyber expert with the Center for Strategic and International Studies, was briefed on the discovery by McAfee. He said it was very likely that China was behind the campaign because some of the targets had information that would be of particular interest to Beijing.
The systems of the IOC and several national Olympic Committees were breached in the run-up to the 2008 Beijing Games, for example.
And China views Taiwan as a renegade province, and political issues between them remain contentious even as economic ties have strengthened in recent years.
"Everything points to China. It could be the Russians, but there is more that points to China than Russia," Mr. Lewis said.
He added that the U.S. and Britain have capabilities to pull off this kind of campaign, but said, "We wouldn't spy on ourselves and the Brits wouldn't spy on us."
McAfee, which was acquired by Intel Corp. this year, would not comment on whether China was responsible. Security researchers who work for large corporations are often reluctant to link governments to cyber attacks out of fear it could hurt their business in those countries.
The UN said it was aware of the report, and that it has started an investigation to ascertain if there was an intrusion.
"The idea is to look into the entire Geneva network," said Farhan Haq, deputy spokesperson for the UN Secretary-General, adding that it was difficult to quantify the potential damage without knowing exactly what had been attacked.
He declined to be drawn on who might be behind the attacks. When asked what would happen if it turned out to be China, he said: "We'll have to cross that bridge once we find out what happened to our network."
McAfee released the report to coincide with the start of the Black Hat conference in Las Vegas on Wednesday, an annual gathering of security professionals and hackers who use their skills to promote security and fight cyber crime.
In the scorching desert heat, they will meet to talk about a series of recent headline-grabbing hacks, such as on Lockheed Martin Corp., the International Monetary Fund, Citigroup Inc., Sony Corp. and EMC Corp.'s RSA Security.
Experts will disclose security vulnerabilities in commonly used software, computers, services and electronics to help companies and governments combat criminal hackers.
The activist groups Anonymous and Lulz Security have recently grabbed the spotlight for temporarily shutting down some high-profile websites and defacing others.
But attacks like Operation Shady RAT are far more costly and often undisclosed, as victims fear reputational damage or attention from other hackers. McAfee sees Operation Shady RAT as the tip of the iceberg.
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact," Mr. Alperovitch wrote in the report.
"In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know."
The report from McAfee, which bases its information on having taken over a "command-and-control" server used in the hack attack, mentions that four Canadian organizations are known to have been victimized.
With a file from Colin Freeze