'Shady RAT' Hacking Claims Overblown, Security Firms Say

Two security companies are questioning claims that a cyber espionage campaign uncovered by a rival firm was sophisticated or even extraordinary.

On Tuesday, antivirus vendor McAfee described a five-year hacker operation that infiltrated more than 70 U.S. and foreign government agencies, defense contractors and international organizations to plant malware that in some cases hid on networks for years.

In its report, McAfee said it was "surprised by the enormous diversity of the victim organizations" and "taken aback by the audacity of the perpetrators."

News stories about the report seized on the word "unprecedented" in the McAfee report to characterize the scale of the intrusions.

"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth," said McAfee, referring to the now-nearly-constant attacks on Western companies and organizations by campaigns like Shady RAT.

Moscow-based Kaspersky Lab on Thursday begged to differ, saying that McAfee has simply not provided enough information to justify the claims being bandied about.

"The report contains nothing on what particular data has been stolen or how many computers in each organization were hit by the attacks," said Alex Gostev, Kaspersky's chief security expert, in an emailed statement. "Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyber attack in history is premature."

Although McAfee's report on what it dubbed "Operation Shady RAT" (download PDF) was filled with details -- it noted how long the malware had remained hidden on each of the 72 victims, and provided a timeline on the various compromises -- it did not, in fact, explicitly claim that data had been stolen.

Other security researchers have chimed in as well to rebut claims that the Shady RAT attacks were sophisticated or even out of the ordinary.

"Is the attack described in Operation Shady RAT a truly advanced persistent threat?" asked Symantec researcher Hon Lau in a Thursday blog post. "I would contend that it isn't."

Advanced persistent threat, or APT, is the term that's been widely used to describe targeted attacks against specific companies or organizations that try to burrow into a computer network and pillage information.

The word "advanced" is a misnomer, said Lau in a write-up of Symantec's own analysis of Shady RAT, which filled in many of the details omitted by McAfee, including the type of malware involved, the techniques hackers used to plant their attack code on PCs and the exploits they used.

Lau popped the "advanced" balloon by citing the sloppiness of the attackers, who left their own command-and-control (C&C) servers open to probing, and for their use of "relatively non-sophisticated malware and techniques."

Joe Stewart, director of malware research for Dell SecureWorks and a noted botnet researcher, said much the same. "APT malware is actually less sophisticated than general malware the public sees," Stewart said in an interview with Computerworld earlier this week.

Stewart traced the C&C servers used by the group behind Shady RAT to Chinese networks by exploiting debugging code left in a smokescreen utility packaged with the malware -- another hint that the attackers were not omnipotent.

Nor are the Shady RAT perpetrators unusual, said Stewart, who used the same techniques to tail a second set of C&C servers to China. Those servers, he said, were managed by a completely separate group of hackers.

Today, the newspaper controlled by the Chinese Communist Party denied any link between the country and Shady RAT. "Arbitrarily linking China and every hacking attack is irresponsible," said the People's Daily on Friday.

China regularly rejects accusations that its government sponsors or harbors hackers who target Western companies and agencies. It has denied, for instance, any involvement with the large-scale attacks against Google and more than a dozen other major corporations in late 2009 and early 2010. Dubbed "Aurora," those attacks prompted Google to threaten to abandon the Chinese market before it shifted its search engine to Hong Kong last year.

And in June, China refuted claims by Google that identity thieves in the country had targeted Gmail accounts of senior U.S. government officials, military personnel and Chinese anti-government activists.

Shady RAT is, in other words, just more of the same, said Symantec's Lau.

"While this attack is indeed significant, it is one of many similar attacks taking place daily," he said. "Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets."

Subscribe to the Security Watch Newsletter

Comments