McAfee is proud to boast that it is the world’s largest dedicated security company. With this size comes immense research resources, which McAfee has put to good use by informing the public on the latest cybersecurity risk to mesmerize the industry: the advanced persistent threat (APT).
The security firm, recently acquired by Intel, fancies itself a chronicler of the APT genre, starting with a 2010 report on the attacks affecting Google and numerous other firms in what it called ‘Operation Aurora’, followed a year later by the ‘Night Dragon’ investigation of a coordinated threat targeting the oil and gas industry.
The latest APT-related report from McAfee was released this past August, detailing a more than five-year-long intrusion it called ‘Operation Shady RAT’. But unlike the Aurora and Night Dragon reports that preceded it, Shady RAT gave rise to a bit of disagreement. It begged the question: Is the Shady RAT published analysis nothing more than fear-mongering, or a well-intentioned effort to inform the greater security community?
Trapping a RAT
The investigation was made public by McAfee on August 2 in a report titled ‘Revealed: Operation Shady RAT’. The ‘RAT’ in this case stands for ‘remote access tool’, which is a piece of software installed on a machine that allows a remote user to control a system.
Dmitri Alperovitch, McAfee’s VP of Threat Research and author of the report, described Shady RAT’s infiltration method, which he called “standard procedure” for most targeted attacks: “a spear phishing email containing an exploit [was] sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system trigger[ed] a download of the implant malware”. Subsquently, Alperovitch said, the malware will execute and initiate a backdoor communication channel to a command-and- control server. At this point, he continues, attackers will be able to jump from machine to machine within an organization and access information accordingly.
The report detailed what Alperovitch called “a historically unprecedented transfer of wealth” over a five to six year period, affecting 72 organizations from an assortment of sectors. Among the data types McAfee listed as leaked: classified data from government networks, source code, bug databases, SCADA configurations, email archives, and legal contracts.
The McAfee VP made it clear that Shady RAT was “not a new attack”, with most affected organizations having already taken mitigation steps. The purpose of the report, he added, was to raise public awareness of the issue and to share this information across the industry.
By gaining access to a command-and-control server used by the operators of Shady RAT, McAfee was able to compile a rather intriguing profile of the organizations affected by the threat. Of the 72 targeted organizations, 49 of them were in the US, including 13 defense contractors. Perhaps the most interesting finding was that five of the targets were international sporting bodies, leading McAfee to conclude that the perpetrator was likely a state actor due to the lack of a financial motivation in obtaining data from these organizations.
Alperovitch himself was careful to put the threat into perspective in a blog post that accompanied the report’s release. He acknowledged the term APT has “lost much of its original meaning due to overzealous marketing tactics of various security companies”. Further comments he made in the report, however, hardly softened the hysteria that has accompanied so-called APT threats, as Alperovitch said he is “convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly)”, adding, rather sarcastically, that the “only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.”
So was McAfee simply performing a service for the greater security community by exposing this latest threat, or was the company contributing to the APT furor by assuming the role of circus ringmaster? Regardless of the motives, the Shady RAT report resulted in a rather public disagreement between two of the world’s largest dedicated security firms.
Rumblings from Russia
A couple of weeks after the report was released, US congresswoman Mary Bono Mack, a Republican from California, sent a letter to Alperovitch and McAfee. In the letter the lawmaker asked the McAfee VP to provide a personal briefing on the threat, including whether or not the attack method used was novel and a request to quantify the impact of the intrusion on US businesses.
It was apparently this letter that trigged a response from Eugene Kaspersky, founder and CEO of Kaspersky Labs. “We do not share the concerns surrounding the intrusion described in the report”, Kaspersky said in his personal blog. The firm’s chief executive said his own company had performed an analysis of Shady RAT, which he described as a botnet. He then chastised the McAfee report as being “alarmist due to its deliberately spreading misrepresented information”.
In addition, Kaspersky emphasized there are other threats that organizations should be worrying about, citing what he believes are the far more sophisticated examples of Zeus, Rustock, and Stuxnet. “Most security vendors did not even bother assigning a name to Shady RAT’s malware family, due to it being rather primitive”, he wrote. “With Shady RAT we are dealing with a lame piece of homebrew code that could have been written by a beginner.”
What the report resulted in, Eugene Kaspersky told Infosecurity, is “even more confusion”. In an e-mail response to our questions, he said that information about Shady RAT had been known for “several months” by researchers at other anti-virus companies. Further, he continued, many anti-virus programs had been actively detecting and blocking Shady RAT’s spyware during that time.
Aleks Gostev, Kaspersky Lab’s resident security expert, not-so surprisingly agreed. “For no less than a year, the lists of C&C servers and the control schemes used by Shady RAT and in many other incidents have been known both to anti-virus vendors and IT security companies in general”, he said. “Some of these companies have conducted their own investigations acting on requests from the victim organizations; these investigations were not public and were not intended to be widely publicized.”
|"I think an APT is more isolated than what is suggested here"|
|John Walker, ISACA, Secure-Bastion|
Prof. John Walker of Nottingham Trent University, UK, described the Shady RAT report a bit differently. “[It] is a historical review of where we have been and what we have seen”, said Walker, who is also CTO of the consultancy Secure-Bastion. What the report did not do, he added, was lend any credibility that this was a threat of specific importance.
“McAfee needs to get off their bike and start thinking about what the risk is, and not about what its marketing posture is”, Walker added in sternly criticizing vendor reports in general. “That’s a real problem at the moment – it’s about the marketing posture of what they see as opportunities.”
On the other hand, Walker did not agree with Kaspersky’s claim that McAfee was “deliberately spreading” misinformation via the Shady RAT report. What McAfee reinforced in the report, that APTs are ongoing and prevalent, is in accordance with what most experts and governments are saying as well, he insisted. “I believe there are far too many cases of people hiding their heads in the sand against what is reality.”
For Vanity’s Sake
In his follow-up comments, Eugene Kaspersky also called into question McAfee’s motives for publishing the Shady RAT report. He insinuated it was hardly coincidence that the report’s release took place during the Black Hat Conference in Las Vegas this past August, as well as it being featured prominently in a Vanity Fair article that broke the news within an exclusive piece on cyber-espionage.
“One can’t help but agree that exclusive material about a threat to national security in a fashion magazine is a bit odd”, Kaspersky told us. “The security industry does not typically use that route to inform the public about recently detected problems.”
“Moreover”, Kaspersky added, “we believe that it is unacceptable to publish information about any attacks without a full description of all the components and technologies used, since these incomplete reports do not allow experts to make all possible efforts to protect their own resources.”
The brief war of words between McAfee and Eugene Kaspersky continued the day after his initial blog post, when McAfee’s Phyllis Schneck chimed in. The company’s VP & CTO for the global public sector responded to Kaspersky’s initial objections about publicly unveiling the report. She also took issue with his characterization of the threat.
“This attack was exposed so honest global communities can be aware of the urgency of cross-sector cyberresiliency”, she wrote in a retort to Kaspersky’s comments. Schneck cited the willingness of cyberadversaries to share information on conducting operations as an example of the type of public-private cooperation that is needed in defense. “It is unfortunate Mr. Kaspersky takes issue with providing information to the public”, she added.
Schneck also addressed his references to Shady RAT as a botnet, a point on which she says the Kaspersky CEO is mistaken. Kaspersky “is getting botnets and advanced persistent threats confused”, she said, calling Shady RAT – by definition – a successful persistent threat that “was only as advanced as it needed to be”.
But Kaspersky’s Gostev said his company’s analysis of Shady RAT came to only one conclusion – that the threat was “categorically” a botnet. Among the reasons he listed for this finding were the tell-tale characteristics of a botnet’s operation: threat spread due to the mass distribution of emails containing malicious files; execution of a malicious file causes the victim’s computer to get infected; the downloaded trojan interacts with a remote server; more than one computer is infected by the trojan at any one time; and hackers with access to the control center can execute a command on any infected computer.
“McAfee itself describes a botnet as a ‘network of hijacked zombie computers controlled remotely by a hacker’”, Gostev continued. “Is Shady RAT a botnet?”, he responded to one of our questions. “The answer", Gostev said, "could not be plainer”.
At least one analyst agrees with Gostev’s critique of Shady RAT by pointing out that the threat was far from a sophisticated, targeted attack. According to Richard Stiennon, founder of research firm IT-Harvest and online security expert for Focus.com, the organizations affected come from a large variety of verticals across both the private sector and government, with the threat being more characteristic of a “spam-borne attack”.
Raj Samani, McAfee’s CTO for EMEA, told us that, contrary to Gostev’s assertion, mass distribution of email was not a characteristic of the Shady RAT operation. “Emails were sent to targeted individuals”, he said, which led to the download of a particular exploit on their system. (Full disclosure: Raj Samani is a member of the Infosecurity editorial board.)
But Prof. Walker insisted that the type of threat Shady RAT can be labeled as may not be so clear cut. The ISACA member said it may be nothing more than a traditional botnet, and that the whole threat itself is “a bunch of hype. Not all threats are hype”, he added, noting that APTs do, in fact, exist.
“I think an APT is more isolated than what is suggested here”, Walker speculated when reflecting on McAfee’s analysis. He was referring to the fact that more than 70 organizations were affected rather than a specific, narrow target or group of targets.
So, was Shady RAT an APT? Some say ‘yes’, others say ‘no’, and then there’s the camp that say ‘not quite’. Perhaps the more important question is whether McAfee was wise to publish the report at all. Were its motives altruistic, as Alperovitch and Schneck claimed, or are the gentlemen from Kaspersky correct, and McAfee made the report public for self-serving purposes? It’s possible that neither stance matters much, and that perhaps this is just the “sign of a healthy research community when we see critiques of one firm’s reports coming from another, highly respected firm”, as Stiennon claimed.
Even though he described Shady RAT as more of a spam-like attack and not an APT, he nonetheless gives McAfee credit for kick-starting the dialogue. “McAfee’s report generated one of the biggest responses of any report to date”, Stiennon said. “[It] helped raise awareness of how easily most organizations are penetrated.”
If you ask McAfee’s Raj Samani, he believes the company has a “social responsibility” – both within and outside the security community – to draw attention to the fact that attacks like these are taking place all the time.
Samani said the whole controversy about whether the report is indeed “alarmist”, as Eugene Kaspersky claimed, was utterly remarkable – and not in a good way. “The good guys don’t share information, and the bad guys do”, he remarked in exasperation.
Samani said he looks forward to a continuing debate about whether or not Shady RAT is a simple botnet or a more insidious APT. What’s more important, in his view, is that all security researchers put their minds together to find better solutions to cybercrime. “At the end of the day it’s not Kaspersky against McAfee, its Kaspersky and McAfee, who are both out there trying to protect their customers”, Samani surmised. “We may compete commercially, but we ultimately all have the same objectives.”