McAfee Defends Its Position on Operation Shady RATBy: Abby Johnson - August 26, 2011
Earlier this month, tech security firm McAfee issued a report, in which it revealed an attack that has been compromising organizations since 2006. The report is called Operation Shady RAT and is said to have infected at least 72 organizations across 14 different countries.
What’s more is that the victims have been government agencies, defense contractors, and organizations such as the International Olympics Committee. From the report, it appears that the attacker, which McAfee calls a “nation state actor,” was going after information regarding diplomatic, economic, and military issues such as valuable intellectual property or trade secrets.
“We can expect to see that information utilized for building competitive industries and taking away market share in the near future,” said Dmitri Alperovitch, the Vice President of Threat Research at McAfee and the author of the report.
Alperovitch went on to say that McAfee had been tracking the attack for some time but that it recently gained access to one specific command and control server used by the attackers. Through it, they were able to identify all the victims that had been compromised and understand the magnitude of its impact.
“This really provided us a very complete picture of the full impact of these attacks on our entire economy, as well as nationally,” said Alperovitch.
Other security firms, however, do not see eye-to-eye with McAfee’s report. Symantec has said that the attack was neither “advanced” nor “sophisticated” since it was able to freely access the same information about the victims on the attackers’ control and command site.
In the Shady RAT report, Alperovitch said the focus of the analysis was on Advanced Persistent Threats (APTs). He told us that this term was coined by the government to describe a nation state actor that had committed cyber espionage against the government but that it was expanded to include any nation state that was performing computer network exploitation (CNE). He doesn’t think that the other security firms should focus on the terminology and said that a better acronym would be SPT to stand for Successful Persistent Threats.
According to him, the attacks were only as advanced as they needed to be. The attackers didn’t have to use new tools or new tactics because the old ones were able to get them what they wanted.
“One of the things that differentiates this activity from traditional criminal activity is that they’re really interested in you as an organization,” he said. “They don’t necessarily care about how well your competitors are doing… they’re going after you because of unique data that you have related to your intellectual property, or specific projects you’re working on, or sensitive business information.”
“They can’t get that data anywhere else, which is why they’re targeting you,” he added.
Alperovitch believes this activity is different from criminal activity because criminals have a financial motive. If they feel one bank, for example, is too hard to rob, they will try another bank.
“Some firms correctly stated that some of these attacks were not very advanced, and we never claimed they were,” he said. “They were successful, and they were devastating from the impact to these organizations, but they were only as advanced as they needed to be.”
Sophos has also spoken out against the Shady RAT and said that it doesn’t clearly state “what information was stolen from the targeted organisations, and how many computers at each business were affected.” It additionally claims that McAfee may have released the report to drum up some publicity since it was released just before the BlackHat security conference began.
Eugene Kaspersky, the co-founder of Kaspersky Lab, also had some words to share about what he calls “Shoddy RAT.” He said it was a botnet that did not deserve as much attention as it had gotten and referred to McAfee’s conclusions as “largely unfounded and not a good measure of the real threat level.”
In response to this criticism, McAfee CTO Dr. Phyllis Schneck wrote a post and said that these security firms were missing the big picture of the report. When we spoke to Alperovitch, he echoed her sentiment.
“It doesn’t really matter how these intrusions are being done,” he said. “The fact of the matter is, they’re successful, and they’re having a massive impact on our economy.”