The Public Eye with Eric Chabrow

Is China the Nation Behind Shady RAT?

McAfee Uncovers 5-Year, APT Intrusions Against 49 Global Entities
Is China the Nation Behind Shady RAT?

China is Shady RAT.

Okay, that declarative statement is my opinion about the identity of the so-called state actor that for five years hacked 49 entities including the American, Indian, South Korean, Taiwanese, Vietnamese and other governments, the International Olympic Committee and major global organizations and businesses in the defense, finance and high-tech sectors, among others. But it's an opinion shared by others. More on that in a bit. First, some background on Operation Shady RAT.

McAfee Wednesday issued a paper in which the security provider says it uncovered what could be the most massive computer intrusion known, perpetrated by a state actor, that dates back to at least mid-2006. This advanced persistent threat, or APT, resulted in the pilfering of government and military secrets and corporate intellectual property.

Paper author Dmitri Alperovitch, McAfee vice president of threat research (listen to my interview with Alperovitch, 8 IT Security Threats for 2011), termed the APT as Operation Shady RAT, noting that RAT is a popular acronym for remote access tool, a network administration tool that the hackers employed in their virtual attacks.

And those attacks caused much damage, as Alperovitch documents in his blog:

"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth ... and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."

McAfee Discovers the APT

According to the paper, McAfee gained access to a specific command-and-control server used by the intruders, collecting logs that reveal the full extent of the 49 victims since mid-2006.

How did the intruders get in? McAfee said the compromises were standard procedure for these types of targeted intrusions:

Hackers sent a spear-phishing e-mail containing an exploit to an individual with the right level of access, and when opened on an unpatched system, triggered a download of the implant malware. That malware executed a backdoor communication channel to the command-and-control web server, interpreting the instructions encoded in hidden comments embedded in the webpage code. This was quickly followed by live intruders, who jumped into the infected machine and proceeded to escalate privileges and move laterally within the organization to establish new, persistent footholds through additional compromised machines running implanted malware. Finally, they targeted for quick exfiltration the key data they sought

McAfee declines to identify the culprit, and Beijing hasn't issued any press release fessing up to the digital assaults. But who else could it be? No one, says James Lewis.

Lewis is paid to think of such things, as director and senior fellow for technology and public policy at the think tank Center for Strategic and International Studies, and McAfee provided him with an advanced copy of its paper. Surmising China as the perpetrator was a matter of elimination. Here's Lewis' reasoning:

"The U.S. and U.K. don't spy on each other; Israel doesn't care enough about Korea or Taiwan to divert collection resources for that extended a period. The only two countries left at the top of the league are Russia and China. It could be either, but the material in the report and the targets for collection point more in the direction of China than Russia. This also fits with three other operations I know of that are also attributed to China. It's a suggestive pattern.
"The timing and the targets point to China. Spying right before the Beijing Olympics and focusing on Southeast Asia reflects China's larger interests more than those of any other country."

Lewis also says this type of multiyear hack is something only a government can afford to do:

"It takes a lot of work. It's a typical intelligence activity, though."

Putting Hacking News in Perspective

In recent months, much attention has been given to events of a less grand scale, though troublesome, such as breaches incurred at RSA, Sony and Epsilon. Also grabbing headlines were the far-less-damaging exploits of hactivist groups of the likes of Anonymous and LulzSec. Joe Gottleib, chief executive of risk and security management software provider SenSage, contrasts the publicity hounding of the hactivists with the stealth operations conducted by the Shady RAT actors:
"These hackers kept collecting information without a need to trumpet their successful attacks; they remained content to quietly accumulate valuable IP and other digital contraband. That is the key to cyber-cunning acts we are seeing more of today: The ability to automate their collection efforts using slow and tenacious cyber-crawlers, burrowing deeper and deeper into the infoscape while transmitting their harvested data back to a huge database of information until they were caught."

And, stopping such perpetrators isn't easy. Gottleib says one main reason Shady RAT existed for five years undetected was the lack of deep historical analysis of raw data logs:

"Without additional forensics - which could only be done if raw data is collected and stored for years at a time - it is almost impossible to discover or prove where these types of attacks originate, and when they are inadvertently spread to other sites. Even the most proactive security practitioner stops one vector of the attack, unless they are looking at patterns, anomalies and variances over time, these cyber-cunning attacks are easy to miss."

Lewis says he isn't shocked by Operation Shady RAT, saying it reflects the current state of cybersecurity: "It's pretty bad, but we already knew that."

Alperovitch, writing in the paper, sadly concurs:

"We know of many other successful targeted intrusions ... which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don't have anything valuable or interesting worth stealing."

I asked Lewis if he saw anything encouraging in the report? Lewis's answer:

"It's possible that the attackers aren't' any better at defense than we are."

Sad state, indeed.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.