McAfee’s Shady RAT conclusions “unfounded”, says Kaspersky

Earlier this month, McAfee said that a five-year operation, which it dubbed Operation Shady RAT, victimized a total of 70 organizations spanning 14 countries. McAfee said that the operation was likely carried out by a foreign government and that intellectual property and other proprietary information was stolen from these organizations.

Kaspersky, however, does not see it like that. “I’d like to say straight out that we do not share the concerns surrounding the intrusion described in the report”, he wrote in a blog.

“We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made” by McAfee, he said.

Shady RAT, in fact, was far from being a sophisticated operation. “Most security vendors did not even bother assigning a name to Shady RAT’s malware family, due to its being rather primitive”, he wrote.

Kaspersky said that the McAfee report is “alarmist” and is “deliberately spreading misrepresented information.”

McAfee’s Phyllis Schneck, chief technology officer for the global public sector, responded to Kaspersky’s accusations.

“Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention?”, Schneck asked. “It doesn’t matter how sophisticated the attack is if it results in material loss. If a bank robber gets $100 million by walking in the front door with a gun, it’s news–not because the attack is novel, but because of its effectiveness. It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.”

Schneck also questioned Kaspersky’s use of the term “botnet” to refer to Shady RAT. “Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused. In this case, the APT should be really be called an SPT (successful persistent threat). It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary", she said.

Schneck concluded: “Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events."

What’s Hot on Infosecurity Magazine?