04 August 2011

One Thing We Know about the Shady Rats

The news about "Operation Shady Rat" has naturally provoked much interest (as it was intended to....) After all, who could not fail to be impressed by claims like this?

I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.


You can read the rest of the McAfee post for more details - but not for an answer to the key question: who is doing this? You don't have to be a genius to work out that it's probably one of two large, countries situated in Asia, and personally I'd guess it's the one with lots of people in it, FWIW.

But that's not really what interests me here. Instead, I'd like to focus on this final part of the post:

Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.

It's a nice ending to a fascinating piece, but in one respect it's almost certainly not true.

That's because, like just about every similar piece describing massive intrustions of this kind, the McAfee doesn't actually say anything about the platforms that were affected, simply noting:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

But somebody in the comments asked the obvious question: "Were the initial intrusions all on Microsoft OS machines? Also, was a particular browser targeted?" To which the answer came:

All the malware we’ve seen was Windows-based. There were a variety of vulnerabilities used

Think about that. This massive breach of security, and loss of possibly highly-sensitive information, was all down to two things: the abiding thoughtlessness of people opening attachments, and a range of flaws in Microsoft's software.

So the statement that "the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing" is not true; another class would be those wise enough not to allow any of their personnel to use Microsoft products. We may not know definitively who the Shady Rats are, but we certainly know what they *really* love.

Follow me @glynmoody on Twitter and identi.ca, or on Google+


Nick Barnes said...

personally I'd guess it's the one with lots of people in it
The one with 10% more people in it, which will be overtaken within about a decade?

glyn moody said...

@nick: yup, exactly

twitter said...

I think you are a little hard on Windows users. You first blame an, "abiding thoughtlessness of people opening attachments" for part of the the continuing Windows security failure but this is a minor factor. There are lots of exploits for Microsoft email clients and browsers. Flaws in Windows even work to undermine browsers that are safe on other OS. Many of the attachment exploits depend on Windows to do stupid things, like hide file name extensions. Microsoft likes to blame users for their problems but we should not fall for it. These problems don't exist in the free software world and are greatly reduced in popular mixed systems like android and non free systems like OSX or Solaris.

glyn moody said...

@twitter: well, I was trying to be fair in the sense that even people using sensible operating systems can do stupid things, and ultimately there's not way to stop them (running as root etc....)