Anatomy of a Breach

Anatomy of a Breach: Operation Shady RAT — Five Years of State-Sponsored Espionage Against 72 Organisations

> series: anatomy_of_a_breach —— part: 032 —— campaign: operation_shady_rat —— duration: 5_years —— victims: 72_organisations<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2011 12 min read
apt operation-shady-rat cyber-espionage nation-state china mcafee persistent-threat series
Breach #032

72 organisations. 14 countries. Five years. Nobody noticed.

In August 2011, Dmitri Alperovitch of McAfee — the same researcher who had named Operation Aurora — published research revealing what he called 'Operation Shady RAT' (Remote Access Tool). The investigation, which gained access to a command-and-control server used by the attackers, revealed a five-year campaign of systematic cyber espionage against 72 organisations in 14 countries. The victims included the United Nations Secretariat, the International Olympic Committee, the World Anti-Doping Agency, the Association of Southeast Asian Nations (ASEAN), government agencies in the US, Canada, South Korea, India, Taiwan, and Vietnam, defence contractors, and technology companies.

The campaign had been running since at least 2006 — before Aurora, before Stuxnet, before the world was paying attention to state-sponsored cyber espionage. The attackers used spear-phishing emails with malicious attachments to gain initial access, installed remote access tools for persistent access, and systematically exfiltrated data over periods ranging from one month to 28 months per victim. The longest intrusions lasted nearly two and a half years without detection.

The Scale
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A five-year, 14-country espionage campaign.

McAfee's analysis of the C2 server logs revealed the full scope of the campaign. The 72 victim organisations spanned government, defence, international organisations, non-profits, and commercial companies. The intrusions were not smash-and-grab operations — they were sustained intelligence-gathering campaigns, with some victims compromised for over two years.

International Organisations Targeted
The United Nations, the International Olympic Committee, and ASEAN were all compromised — suggesting an interest in diplomatic intelligence, international governance, and sporting event preparations. The Olympic Committee intrusions preceded both the Beijing (2008) and London (2012) Olympics.
Government Agencies Across 14 Countries
Government agencies in the US, Canada, South Korea, India, Taiwan, Vietnam, Japan, and others were compromised. The breadth of targeting suggested a state actor with strategic intelligence requirements spanning multiple regions. Our <a href="/blog/sector-under-the-microscope-local-government">local government</a> and <a href="/blog/sector-under-the-microscope-defence-supply-chain">defence supply chain</a> analyses examine the threat to UK public sector and defence organisations.
Dwell Times Measured in Years
Some intrusions lasted 28 months before being detected — or, more accurately, before the C2 server was analysed. Many victims may never have known they were compromised. This dwell time underscores why continuous monitoring through <a href="https://www.socinabox.co.uk">SOC in a Box</a> is essential — because annual penetration tests cannot detect an attacker who entered between assessments and is quietly exfiltrating data.
The Tip of the Iceberg
Alperovitch described Shady RAT as representing 'just the tip of the iceberg' of nation-state espionage. The 72 victims were those visible on a single C2 server — the actual scope of state-sponsored espionage was, and is, far larger. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> provides organisations with awareness of active campaigns targeting their sector.
Defence

Detecting what hides in plain sight.

Operation Shady RAT used the same fundamental techniques as every APT campaign: spear-phishing for initial access, remote access tools for persistence, and encrypted channels for exfiltration. The attacks were not technically novel — they succeeded because victims lacked the monitoring to detect them and the testing to identify the vulnerabilities they exploited.

Our red team engagements simulate APT-style attacks — including spear-phishing, RAT deployment, lateral movement, and data exfiltration — to test whether your organisation's detection capabilities would identify a Shady RAT-style intrusion. Social engineering assessments test staff resilience to the phishing emails that began every Shady RAT intrusion. SOC in a Box provides the 24/7 monitoring that detects the encrypted C2 communications, anomalous data flows, and persistent access that APT campaigns rely on. And Cyber Essentials establishes the baseline controls — patching, access control, malware protection — that reduce the initial attack surface.

APT Detection

Shady RAT ran for five years undetected. Would you know if you were compromised?

Our <a href="/penetration-testing/red-team">red team engagements</a> test your detection capabilities against APT-style attacks. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that catches what annual tests miss.

Commission a Red Team Test Next: DigiNotar CA Compromise
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2010

Anatomy of a Breach: Operation Aurora — When China Hacked Google

Breach #013 in our Anatomy of a Breach series. In January 2010, Google disclosed that it had been the victim of a sophisticated cyberattack originating from China. Operation Aurora — named after a file path in the malware — targeted 34 companies including Adobe, Yahoo, Symantec, and Northrop Grumman, using an Internet Explorer zero-day to steal intellectual property and access the Gmail accounts of Chinese human rights activists. The attack that proved nation-state cyber espionage was no longer just a military concern.

data-breach operation-aurora
14 min read
Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
Anatomy of a Breach 31 July 2018

Anatomy of a Breach: SingHealth — 1.5 Million Patients Including a Prime Minister Targeted by Nation-State Attackers

Breach #115. In July 2018, Singapore disclosed that its largest healthcare group — SingHealth — had been breached by a sophisticated threat actor, compromising the personal data of 1.5 million patients and the outpatient prescription data of 160,000 patients — including Prime Minister Lee Hsien Loong, who appeared to have been specifically targeted. The attack, attributed to a nation-state actor, exploited vulnerabilities in SingHealth's IT infrastructure over a period of months. The breach confirmed that healthcare systems worldwide are APT targets — not just for data theft but for intelligence on political leaders.

data-breach singhealth
12 min read
All Posts Get in Touch