In the latest indication that cyber-espionage campaigns have become a major threat to the wealth and security of nations, a foreign entity has been exposed for trying to steal secrets from more than 70 organizations – including two Canadian government departments and the World Anti-Doping Agency in Montreal.
The snooping – described as one of the largest such series of attacks ever documented – was carried out over the past five years by a group that has yet to be identified. Suspicions, however, are again centring on China, given that the list of targets includes the United Nations, governments in the West and Southeast Asia, military-defence contractors, and international sports bodies that were hit around the time of the 2008 Beijing Olympics.
McAfee Inc., a security-software firm based in California, garnered insights into the hacking scheme by breaking into one of the hacker computers and recovering its logs. "Operation Shady Rat," the company's report on the affair, was released on Wednesday.
The methods are consistent with several recently exposed cyber-espionage schemes, but the alarming magnitude amounts to a wakeup call. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property," Dmitri Alperovitch, a McAfee vice-president, writes in the report. "… What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth."
Officials with Canada's Public Safety Ministry refused to speak to any details, including which two departments were hit. Early this year, it was revealed that the Treasury Board and the Finance Department had suffered such significant breaches that the departments restricted desktop Internet access and installed Internet kiosks and other safe workstations for employees to us onsite.
Such disclosures are rare. No organization likes to flag its vulnerabilities, but secrecy stifles discussion about the growing problem of cyber-espionage, which in turn restricts debate about solutions and countermeasures.
"We need to build the widest possible shared understanding of what constitutes acceptable behaviour in cyberspace," a spokeswoman for Britain's most secretive spy agency, GCHQ, told Reuters on Wednesday.
Attacks have built to the point that computer security experts say it is no longer a question of which specific organizations have been hacked – it's more a question of how much everyone has been hit.
"Put this in perspective: What is the world's second oldest profession? Espionage," said Rafal Rohozinski, part of the University of Toronto's "Citizen Lab" team. The only thing that's new today, he said, is that the data equivalent of the U.S. Library of Congress's holdings can be moved overseas overnight.
This means collection is less a problem for hackers than sorting through the mountains of megabytes they recover, said Mr. Rohozinski, who two years ago was part of an effort that unearthed a hacker network snooping on groups in more than 100 countries.
The McAfee report suggests governments must better distinguish between nuisance hackers – like the Anonymous and LulzSec collectives that have lately achieved notoriety – and rival nations out to plunder state secrets, patented technologies and other proprietary information.
Most of the affected corporate and government victims are not named in the McAfee report. But some are. And the authors find it "particularly intriguing" that the International Olympic Committee and related organizations were hit.
The World Anti-Doping Agency released a statement Wednesday saying it has "no evidence from its security experts of the intrusions as listed by McAfee." It added that it keeps sensitive information about its drug-testing methods on a secure server that hackers would be hard-pressed to hit.
The anti-doping agency did say it recently reported a distinct hacker attack to Quebec provincial police and U.S. authorities. "I guess it would not be surprising that third parties might want to know what research is going on and what tests might be available but not announced," Dick Pound, who used to head the agency, told The Globe in an e-mail.
Although the report lists 72 entities as being hit, McAfee says there were many other targets it could not identify. Four Canadian organizations are known to have been affected – the two government departments, the World Anti-Doping Agency, and an unnamed tech company.
There were 49 known targets in the United States. A few Korean, Japanese and Taiwanese entities were also hit.
And while no targets in mainland China were identified, the Hong Kong bureau of an unidentified U.S. news organization is said to have had its networks infiltrated for nearly two years.
With a report from Omar El Akkad
Editor's note: The Department of Finance and the Treasury Board did not send government employees off-site to access the Internet. This online version has been corrected.
Colin Freeze