Don't Believe the Hype: 'Operation Shady RAT' Is Nothing New
CREDIT: Robin Stjerndorff
Digital security giant McAfee made headlines around the world today (Aug. 3) with the release of a report disclosing a massive cyberattack, dubbed "Operation Shady RAT," against dozens of corporations, organizations and governments around the world.
Vanity Fair magazine had a long "exclusive" breathlessly chronicling the frightening details. Wire services similarly detailed the "enormous" hacking campaign. Commentators, some anonymous, blamed China.
"I divide the entire set of Fortune Global 2000 firms into two categories," writes Dmitri Alperovitch, the author of the McAfee report, "those that know they've been compromised and those that don't yet know."
There's only one problem: None of this is news.
Stealthy, persistent, state-sponsored skilled hackers what professionals call an "advanced persistent threat" have been snooping around in the networks of large organizations for years. Security professionals and regular readers of technology publications are well aware of the problem.
McAfee's report has simply collected more data on an old phenomenon and given it a catchy new name. Mainstream media organizations have eaten it up.
The fact is that in just the past six months , we've seen "Shady RAT"-style operations attempt and often succeed to steal data from the defense contractors Lockheed Martin and Northrup Grumman, the security-device maker RSA, the treasuries of Britain and France, the International Monetary Fund, the Canadian defense ministry, the European Commission and the European Parliament, the Australian parliament, the banking giant Citigroup, and the Department of Energy's Oak Ridge National Lab.
In almost every case, the methods are the same: "Spear phishing" emails carrying "backdoor Trojans" embedded in attachments are directed at a few high-ranking or well-placed individuals within an organization.
It takes only one of those individuals to open one of those attachments, which might be disguised as a spreadsheet or a report, for the intruders to gain access to the organization's internal network.
(The "RAT" in "Shady RAT" stands for "remote access tool," another name for the malware that grants intruders access to protected networks.)
Command and control
What McAfee has done is to greatly add to the number of affected organizations. It got hold of a command-and-control server used in some of these attacks and found evidence that no fewer than 72 more organizations worldwide were targeted, including the International Olympic Committee and the United Nations.
In most cases, McAfee does not name the organizations, but instead lists them by country and category.
Western countries affected included the United States (which accounted for two-thirds of the targets), Canada, Britain, Germany, Denmark and Switzerland.
But most telling is the Asian countries and regions that were targeted: Taiwan, Hong Kong, South Korea, Japan, India, Indonesia, Singapore and Vietnam.
Look at a map and you'll see that all those countries are arrayed like satellites around a central hub: China. Yet no targets were identified in the People's Republic, the world's second-largest economy. And all the nations that were targeted have relations with China that are delicate at best.
Few companies that have been targeted have publicly blamed China , with Google the exception. And major security firms McAfee is now owned by Intel are equally reluctant to admit the obvious, perhaps for fear of alienating Chinese customers.
That hasn't stopped some security specialists from speaking what they believe is the truth.
"All the signs point to China," James A. Lewis, of the Washington, D.C.-based Center for Strategic and International Studies, told Vanity Fair. "Who else spies on Taiwan?"