China refutes McAfee claims it was behind Shady RAT attacks

On Wednesday of this week McAfee issued a `Shady RAT (remote access trojan)' report that detailed, in great depth, what it claims are a series of multi-year, multi-system attacks on at least 72 US and other Western-allied government, contractor and other server systems.

The report - entitled `An investigation of targeted intrusions into 70+ global companies, governments and non-profit organisations during the last 5 years' - pointed an accusing finger at the Chinese government and its supporters as being behind the attack.

According to the Guardian newspaper, the report in Friday's edition of the People's Daily, the main People's Daily - "the mouthpiece of China's ruling Communist party - did not quote any official reaction to the hacking allegations but is the closest to an official response from Beijing."

The paper says that the People's Daily disputed the suggestions. "Linking China to internet hacking attacks is irresponsible," it said.

"The McAfee report claims that a 'state actor' engaged in hacking for a large-scale internet espionage operation, but its analysis clearly does not stand up to scrutiny", it added.

McAfee's report, meanwhile, said that 72 systems in the US, Canada, Taiwan, India, South Korea and Vietnam and Canada - as well as systems at the United Nations, and a range of US contractor servers - were targeted in the attacks.

According to IT auditing and logging specialist LogRhythm, whoever was to blame for the attacks, they are an example of the type of targeted attacks that are increasingly being used to extract sensitive data.

Ross Brewer, the firm's vice president, said that cybercriminals know what they want and are now more than capable of accessing it - even if this means breaking the systems of the world's most security conscious organisations.

"The way this attack was spotted is a lesson to all organisations about how they should approach IT security in future. By collecting and analysing log data it was possible to locate where traffic flow was coming from. In addition, using log data in this way meant data loss, and the methods by which it was extracted, could be identified", he said.

"Unfortunately many firms are wasting this valuable resource. In order to spot vulnerabilities in real time it is essential that organisations have automated, centralised systems in place that collect and monitor 100% of log data on an ongoing basis", he added.

Brewer went on to say that, only this approach can provide the traceability required to spot attacks when they occur and respond appropriately to minimise damage.

Over at encryption key specialist Venafi, meanwhile, Jeff Hudson, the firm's CEO, agreed with Brewer's analysis, noting that the attacks are often due to difficulties in properly deploying and managing security systems within the infrastructure.

"Let's be honest and see things as they are truly. This latest reported series of on-going breaches makes an irrefutable case. The bad guys are inside. Period, end of story. Anyone arguing with that is in denial", he said.

"The malware and the intruders are operating inside organisations today undetected. The best firewalls and intrusion detection obviously aren't enough. If people want to protect the data, which is what they bad guys are after, it has to be encrypted and the keys must be well managed", he added.

Hudson went on to say that it is interesting that recent media reports point an accusing finger at state-sponsored terrorists and governments.

Regardless of which country or agency has been launching these attacks, the bottom line is that the attacks have been successful where government secrets have been leaked, he explained.

And, he added, as some of the attacks on US government and United Nation servers date back five years, it is clear that public sector agencies need to significantly rethink their security practices.

The best approach to defending against these types of attacks says Hudson is to encrypt all data flowing between the agencies' IT resources, as well as encrypting all data that is stored.

IT managers, he adds, also need to enforce authentication, encryption key access control and audit logging for all local and remote access to this data.

What’s hot on Infosecurity Magazine?