Threat Management, Threat Intelligence, Malware, Network Security

McAfee fires back at Shady RAT criticism

McAfee has fired back at critics of its report on Operation Shady RAT, saying the CEO of rival anti-virus maker Kaspersky Lab, who called the report “alarmist,” is missing the point.

In a report released early this month, McAfee detailed a five-year-long advanced persistent threat (APT) and cyberespionage offensive which reportedly has plundered intellectual property from some 72 companies across 14 nations.

Eugene Kaspersky, co-founder and CEO of Kaspersky Lab, contested the McAfee document. In a blog post last week, he argued that his company is not concerned about the report, arguing that the malware referenced is not very sophisticated.

But debates over how evolved the attack really is are diverting attention from the bigger picture, Phyllis Schneck, chief technology officer and vice president of the public sector at McAfee, said in a blog post Friday.

“This attack was revealed to shed light on the urgency of cross-sector cyber resiliency,” Schneck wrote."It's unfortunate that Mr. Kaspersky takes issue with providing information to the public."

Adversaries, she continued, regularly share information and use it to systematically attack not only individual companies, but also entire markets and economies.

“We lack the alacrity to defend against this threat without public-private collaboration, which begins with global awareness – the very thing we must promote to protect our way of life,” Schneck said.

Rob Lee, faculty lead for digital forensics at the SANS Institute, told on Monday that he does not believe McAfee's report is all hype. The report, he said, highlights the very real threat of well-organized and funded attacks coming from China.

“There is a concerted effort from another nation-state to gain intellectual property and information from not only those listed in the report, but thousands of other companies,” Lee said.

Operation Shady RAT is just “one chapter of a story that has been going on for years,” Lee added. Chinese hackers are strategically launching such attacks against companies in the United States and across the world, he said.

And, despite popular belief, APT attacks don't necessarily need to be technically sophisticated, Lee said. The “advanced” part of the name APT actually refers to the attacker's organizational structure, rather than their weapons.

“Why would you bring out your most powerful weapons when the easy stuff is working?” Lee said.

To that point, McAfee's Schneck said Operation Shady RAT could actually be considered a “successful persistent threat" rather than an APT.

“It was only as advanced as it needed to be,” she said.

The attack is notable not for its technical sophistication, but because of the wide range of affected entities – corporations, government agencies, defense contractors and nonprofits – as well as the amount of data stolen and for how long it continued, she said.

While still less common than mass malware and spam campaigns that are identified every day, APT attacks have grown in prevalence over the last few years, Aviv Raff, CTO of cyberthreat management company Seculert, told on Monday.

One of the greatest problems about APT attacks is that many organizations simply fail to detect them, Lee said. Instead of posturing against each other, vendors should be thinking about ways to better detect such malicious activity so victims can respond in a more organized manner.

Also, there needs to be a way for affected entities, even those that compete against each other in business, to share intelligence data about attacks they have faced, Lee said.

Meanwhile, in her blog post Friday, Schneck also questioned Kaspersky's classification of Shady RAT as a botnet. Botnets refer to networks of compromised computers that communicate and are being controlled by a central command-and-control (C&C) server.

“Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused,” Schneck said.

However, Seculert's Raff believes that Shady RAT is actually a botnet, albeit a small one.

“The risk of this botnet is defined by its targets, rather than by its size,” he said. Lee objected, though, saying the infected Shady RAT PCs were individually controlled, and not as a group, which runs counter to the makeup of a traditional botnet.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.