Security Firm Says It Found Global Cyberspying

By DAVID BARBOZA and KEVIN DREW

SHANGHAI — An American cybersecurity company issued a report on Wednesday saying that it had identified a single perpetrator of cyberattacks that lasted up to five years on a wide range of governments, American corporations and even United Nations groups, and that the pattern of targets suggested the attacker was a “state actor.”

However, as with a number of other alarming recent reports on computer spying, it offered few details that would allow independent verification, and it was difficult to immediately assess the damage done. It did not identify the location of the attacking computer system, say what kinds of documents or information were stolen, or offer any direct evidence of a state actor. .

The company, McAfee, said it had alerted the 72 targets it identified — 49 of them American, including 14 federal, state and county agencies and 11 defense contractors — and also informed law enforcement agencies, which it said were investigating.

The White House referred questions to the Department of Homeland Security. At a news conference on other matters, that department’s secretary, Janet Napolitano, said: “We became aware of the McAfee report, I think, today, which is when it was released to the press, as well. We obviously will evaluate it, look at it and pursue what needs to be pursued in terms of its contents.”

One of the few named organizations, the World Anti-Doping Agency, cast doubt on the report’s assertion that the agency had been subject to a 14-month attack that began in August 2009. In a statement, the director general, David Howman, acknowledged that the agency had experienced an e-mail breach in February 2008, but that “at this stage, W.A.D.A, has no evidence from its security experts of the intrusions as listed by McAfee and the agency has yet to be convinced that they took place.”

McAfee, which was recently acquired by Intel, said it released the report to coincide with the start of the annual Black Hat technical security conference in Las Vegas. Briefings at the conference are scheduled to be delivered Wednesday and Thursday. Details of the study were first published on the Web site of Vanity Fair.

Asked why McAfee decided not to identify most of the corporations that were targets in Operation Shady Rat, the company said on Wednesday that they were worried about being identified and alarming shareholders or customers.

Cyber security is now a major international concern, with hackers gaining access sensitive corporate and military secrets, including intellectual property. The report comes after high-profile cyberattacks aimed at the International Monetary Fund, Sony and the Lockheed Martin Corporation, America’s largest military contractor.

Concern over attacks being carried out by nation-states is rising sharply, particularly after Google said last year that Chinese hackers stole some of the company’s source code. Many security experts say the Chinese government has built up a sophisticated cyber warfare unit and that the government may be partnering with professional hackers. But the list is long of entities, government or private, suspected of hacking campaigns.

Jeff Moss, an Internet security expert who founded the Black Hat Conference, said it would be hard to narrow down the suspects in a broad campaign. “China is a pretty convenient punching bag,” he said.

The company’s 14-page report, written by Dmitri Alperovitch, McAfee’s vice president of threat research, traced the attacks to at least 2006 and said they peaked in 2009. It calls the attacks highly sophisticated and said targets included governments, companies, and organizations in Canada, Japan, South Korea, Taiwan, Switzerland and Britain.

“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” the report said.

McAfee said it identified a single perpetrator in March, when it discovered detailed logs of attacks while reviewing the contents of a server it had discovered in 2009 as part of an investigation into security breaches at defense companies. The report did not say where the server was, nor how the company gained access.

McAfee dubbed the attacks Operation Shady RAT — RAT stands for remote access tool, a type of software used to control networked computers.

The duration of the attacks ranged from a month to what McAfee said was a sustained 28-month attack against an Olympic committee of an unidentified Asian nation.

What was done with the data “is still largely an open question,” Mr. Alperovitch wrote in the report. “However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

Mr. Moss said subjects of attacks should be more forthcoming. “Companies do the public a disservice by not revealing when these things happen,” he said.

In mid-May, the Obama administration proposed creating international computer security standards with penalties for countries and organizations that fell short. The strategy calls for officials from the State Department, the Pentagon, the Justice Department, the Commerce Department and the Department of Homeland Security to work with their counterparts around the world to come up with standards aimed at preventing theft of private information and ensuring Internet freedom.

Obama administration officials said privately at the time that the hope was that the initiative would prod China and Russia into allowing more Internet freedom, cracking down on intellectual property theft and enacting stricter laws to protect computer users’ privacy.

In February, a Canadian federal cabinet minister said hackers, perhaps from China, compromised computers in two Canadian government departments in early January, leaving bureaucrats with little or no Internet access for nearly two months. The minister, Stockwell Day, the president of the Treasury Board, called the attack a “significant one” that went after financial records.

Also in February, McAfee released a report saying that at least five multinational oil and gas companies had suffered computer network attacks by a group of hackers based in China. Beijing has strongly denied any role in cyberattacks, and insisted it has been a frequent victim such attacks itself.

On Wednesday, China’s Foreign Ministry did not respond to requests for comment about allegations of Chinese links to cyberattacks after the McAfee report.

But last month, at a regularly scheduled news conference in Beijing, the Foreign Ministry spokesman, Hong Lei, said, “The Chinese government opposes hacking in all its manifestations.”

He added: “Hacking is an international issue, with which China also falls victim. China is willing to conduct international cooperation in this regard. We are dissatisfied with some people’s irresponsible remarks that link hacker attacks with the Chinese government.”