08/03/2011 07:15 EDT | Updated 10/03/2011 05:12 EDT

Operation Shady Rat: World Anti-Doping Agency, Canada Firm, Denies Being At Centre Of Cyber-Attacks

TORONTO - A Canadian-based organization thought to be at the centre of a five-year-long, worldwide cyber attack is questioning claims that its systems were compromised and left open to exploitation for more than a year.

But the skepticism voiced by the Montreal-based World Anti-Doping Agency is fuelling warnings from security experts, who say the group's doubts only prove that a well-executed hack can escape even the most rigorous security procedures.

The agency was one of four Canadian organizations highlighted by security firm McAfee Inc., which released a report on Wednesday detailing a five-year-long campaign of intrusions into more than 70 government agencies, companies and not-for-prophet organizations around the world.

California-based McAfee said an unidentified information technology company and two unnamed government agencies were also compromised in the attack, dubbed Operation Shady Rat.

WADA Director General David Howman issued a statement expressing doubt about the McAfee report, which said the agency's systems were compromised for a 14-month period beginning in August 2009.

He said WADA experienced a security breach of its email server a year and a half before, resulting in an upgrade of its security systems. Internal security experts had not detected any other violations, he said.

"At this stage, WADA has no evidence from its security experts of the intrusions as listed by McAfee and the Agency has yet to be convinced that they took place," Howman said.

Security experts, however, caution that McAfee has gained unusual access to a hacker network that lends credibility to their claims.

Graham Cluley, senior technology consultant at security firm Sophos, said McAfee managed to obtain material from a command and control server, the central hub where the perpetrators of an attack store their ill-gotten information.

He said the source boosts the likelihood that the company's report is accurate.

David Skillicorn, professor at the Queen's University school of computing, said the attack highlights the subtlety and insidious nature of most sophisticated computer hacks.

"Lots of organizations don't know that they're being attacked," he said. "It's far more likely that they were attacked and don't know it than that McAfee somehow got it wrong."

McAfee said the Shady Rat hack _ names for the "remote access tool" used to gain access to outside systems _ was carried out through a commonly used technique known as spear-phishing.

Perpetrators would send an email to a strategically placed person within a company containing a link or attachment that would then infect the person's machine. That machine would then become the entry point for other hackers who wish to exploit a network.

While the Shady Rat hacking system was reasonably routine, McAfee security strategist Toralv Dirro said the five years worth of logs found on the command and control server made it a noteworthy discovery.

It also highlights exactly how rampant hacking is in today's business climate, he said.

"This is more like the snowcoating on the top of the iceberg," Dirro said. "This really should serve as another wake-up call for companies that they are pretty much constantly under attack," he said. "We know of hundreds, if not thousands, of other command and control servers being used in similar operations, so this is just one case out of many many cases that are constantly going on."

Dirro said McAfee would be willing to provide proof of the attack on the World Anti-Doping Agency directly to the company, if requested. Wada said it planned to seek further evidence.

Operation Shady Rat targeted a wide variety of victims, including government agencies in the United States, South Korea and Taiwan, the United Nations, the International Olympic Committee and various unnamed defence contractors.

The choice of targets led McAfee to speculate that the hack was orchestrated by a single country bent on more than simple economic gain.

Speculation immediately centred on China, which has routinely been blamed for and denied involvement in state-sponsored hacks.

Cluley challenged McAfee's guess, citing hacker groups such as Anonymous and LulzSec whose list of targets may have also led experts to believe that they were acting on behalf of a country.

"Everyone's using the Internet to spy on each other, but it's a very hard thing to prove exactly who has done it," he said. "I'm not saying it isn't a government, but there's nothing technically different about the way in which these organizations get hacked and the kind of ways we see companies and home users being hacked all of the time by regular cybercriminals."

He also questioned the severity of the Shady Rat attack, saying it can't be properly evaluated without knowing how many individual machines were accessed and what information was obtained.

Skillicorn, however, believes the intrusions highlight an important reminder for computer users everywhere.

"People think that the Internet is a safe place," he said. "It requires a change of mindset to realize that you're not walking around a nice Canadian street, you're walking in the darkest street, in the darkest place in the world you can imagine, with a briefcase full of secrets. If you're going to do that, you want to protect yourself pretty seriously."