Friday, August 5, 2011

McAfee Operation Shady RAT: A Media Storm is Unleashed

On Thursday morning August 4, I switched on the radio on the way to work to listen to the news headlines by the local radio station and was gobsmacked to be hearing them talking about the "biggest cyber attack" ever having been found by McAfee, dubbed Operation Shady RAT. For the first time I can every remember, an infosec story had made it on the news headlines of my local radio station, and in the process gained some valuable PR and credibility for McAfee...

How it played out

The storm of media interest was sparked at 9.14pm, Tuesday night US time, August 2, when the original blog post and research report was released by McAfee researcher Dmitri Alperovitch. The first media article appeared on Vanity Fair which was given the web exclusive story first.

Many thousands of other media outlets then ran with the story on the following day (Wednesday), typically
summarising the research report, with many claiming it to be the biggest cyber attack in history. Many also pointed the finger of blame squarely at China, without any real evidence. Jim Lewis, a cyber expert with the Center for Strategic and International Studies who was briefed on the hacking discovery by McAfee, said it was very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing. "Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.

The facts of the case, as presented by McAfee's report
  • Botnet-like malware communicating with a single C&C (Command and Control) server was found on the 72 infected computers.
  • A variety of different exploits were used to gain access to the victims computers, largely through spear phishing type attacks.
  • 72 organisations were identified across a swathe of areas including government, industrial, technology, defense, sporting, corporate and non-profit NGOs.
  • 49 of the victims were from the USA.
  • There was no evidence presented of any specific or important data being lost.
  • There was no mention of the total number of unique IP addresses that were found to be infected.
The research report clearly states that "In all, we identified 72 compromised parties (many more were present in the logs but without sufficient information to accurately identify them)". In an interview on Friday with, Sean Duca of McAfee Australia contradicted the research document by pointedly remarking that the total number of infected hosts was limited to only the 72 organisations listed in the report. However, in an interview with PC Mag, Dmitri Alperovitch said "I think it's fair to assume, that if you look at the totality of activity that's occurring, it's in the thousands of targets".

As Graham Cluley of Sophos' Naked Security Blog stated "What the report doesn't make clear is precisely what information was stolen from the targeted organisations, and how many computers at each business were affected." Cluley decried the way the media has rushed to blame China for the attacks. "I don't think we should be naive. I'm sure China does use the internet to spy on other countries. But I'm equally sure that just about *every* country around the world is using the internet to spy. Why wouldn't they? It's not very hard, and it's certainly cost effective compared to other types of espionage." he wrote.

Hon Lau from Symantec has poured cold water on the "biggest cyber attack" headlines surrounding the case - "While this attack is indeed significant, it is one of many similar attacks taking place daily." He also outlines the way the attackers used spear phishing to target individuals, typically through email attachments including Word documents, Excel documents, PDF files or PowerPoints. "These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised." he wrote.

One thing is for sure, it may not have been the biggest cyber attack in history, but it is certainly one of the most successful infosec media releases ever made, and for that McAfee must be congratulated: at least it has again focused some much needed attention in the media for such an important topic.

Follow @dodgy_coder

Subscribe to posts via RSS

No comments:

Post a Comment