McAfee’s Report on Operation Shady RAT
Given the attention that the recent McAfee’s report has generated, and in light of the fact that the report was not generally available when I wrote my post “Biggest-ever series of cyber attacks uncovered,” I have decided to do an updated post describing my personal response to the report.
Following are excerpts of the report – together with my observations. I will necessarily be able to address only specific passages given that the report is some 17 pages long. If people have questions on other passages I did not address, please direct those to me in the comments.
For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.
Having investigated intrusions such as Operation Aurora and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know
Here McAfee specifically cites two previous attacks that Google (Operation Aurora) and McAfee (Night Dragon) linked to China. One should note however that despite its high profile accusations, Google never provided any evidence that the Aurora attacks were masterminded from China (see also this and this). And while McAfee did provide some reasons why it believed Night Dragon attacks originated from China, those were speculative guesses at best. As the top of the section on Attribution in the Night Dragon report made clear in bold letters, “IMPORTANT: McAfee has no direct evidence to name the originators of these attacks but rather has provided circumstantial evidence.”
In reading this present report, one should not lose sight of the fact that McAfee is in the business of selling Cyber security solutions. It is in the interest of McAfee to highlight – even heighten – security threat, including – as the following shows – playing on fears of an uncertain Western in the face of a rising East.
The report continued:
Lately, with the rash of revelations about attacks on organizations such as RSA, Lockheed Martin, Sony, PBS, and others, I have been asked by surprised reporters and customers whether the rate of intrusions is increasing and if it is a new phenomenon. I find the question ironic because these types of exploitations have occurred relentlessly for at least a half decade, and the majority of the recent disclosures in the last six months have, in fact, been a result of relatively unsophisticated and opportunistic exploitations for the sake of notoriety by loosely organized political hacktivist groups such as Anonymous and Lulzsec. On the other hand, the targeted compromises—known as ‘Advanced Persistent Threats (APTs)’ (although this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT)—we are focused on are much more insidious and occur largely without public disclosures.
Cyber attacks have existed for a long time, and most attacks are unsophisticated. This is not surprising. Nevertheless, many attacks have recently been blown out of proportions by security companies pursuing ”overzealous marketing tactics.” This is very true. But I also get the sense that McAfee’s writing of this report and hyping up the dangers of unknown attacks - those “insidious” attacks that “occur largely without public disclosures” (…the biggest fear is fear itself; you have nothing to fear but fear itself…) – also constitutes an example of such ”overzealous marketing tactics.”
[These attacks] present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.
What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.
I do not fault McAfee for wanting to play to an insecure West the notion that Western institutions are under attack by non-Western ones intent on overtaking the West. But does the evidence McAfee produce even pass minimal scrutiny?
The mere existence or even prevalence of attacks against Western companies does not per se prove anything. Western companies have long been known to conduct espionage against each other (see, e.g., 10 most notorious acts of industrial espionage). In fact, since the world’s most valuable companies are still predominantly Western, it comes as no surprise that it is these companies – the ones with the most wealth, most resources, most intellectual property, the most closely guarded information – that provide the highest profile targets for attack. I mean, by contrast, would anyone be incentivized to hack into a poor Somalian company?
Also, would a poor Somalian company mount a sophisticated attack such as Shady RAT? Given the resources at the disposal of these most successful companies, and the vigor by which these companies compete with each other for shares of the global market, I’d not be surprised if the most audacious and most sophisticated of attacks are perpetrated by Western companies against Western companies.
Now, don’t get me wrong. I am not saying that China is a saint. As the Chinese economy develop, many Chinese companies will inevitably be competing with Western multinationals for a piece of the global market as well. As they gain resources, Chinese companies will join Western elite companies in conducting industrial espionage on each other using similarly sophisticated techniques.
But let’s not lose perspectives. The U.S. is the top source of cyber attacks in the world – originating some 2.7 times as many attacks as from China – according to this 2008 study. A more updated Q1 2011 study from Akamai ranks China only fifth in terms of hacking source traffic in Q1 2011 (with Myanmar, U.S., Taiwan, and Russia ahead) and in a practical tie with U.S., Taiwan and Brazil (each with about 7.5% of worldwide traffic, with Russia far ahead with 10%) in Q4 2010. YES, China ranks fifth – despite having by far the most Internet users in the world.
We do live in an era where power and influence is moving from West to East. So when people read passages such as the one above about an “adversary [who] is motivated by a massive hunger for secrets and intellectual property,” people may automatically jump to the conclusion that it is China who is behind the hacking. But there are many others interested in good “intellectual property” besides the Chinese government. As noted above, Western companies constantly spy on teach other. Western governments also regularly spy on each other. And Western non-profits like Wikileaks are interested in the “intellectual property” of “all society’s institutions, including government, corporations and other organisations.” Mere interests in these properties therefore does not indict Chinese involvements.
McAfee has gained access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. …
After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators. … [E]veryone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.
[The report goes on to present in graphics form the attacks across industries and nations: basically a lot of countries and a lot of institutions (government, defense, high tech, sporting) have been attacked]
The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks.
The last paragraph above has gotten a lot of press coverage. Many in the press believes the targeting of the IOC to be the smoking gun: China must be involved! But I ask: how is that? The IOC – as far as the 2008 Olympics is concerned – and China are practically in bed together. Their interests were perfectly aligned. They don’t need to hack into each other to influence each other. Not during the time around 2008 anyways. In fact, if there are those who has the motive to break in to spoil the party, it is the anti-China groups, not China. Perhaps instead of a “state actor,” McAfee should be looking to human rights and democracy “NGOs”?
As you further analyze this last paragraph, any accusation against China starts to make even less sense. I mean, why would China want to hack the World Anti-Doping Agency? A quick perusal of world’s sportdoping cases show a bunch of athletes who are Westerners, with very few (if any) Chinese. The Chinese might be interested in preventing others from hacking into their computers to discover the true age of Chinese gymnasts (actually, to learn more about that topic, see this or this or this or this) – but hacking the World Anti-Doping Agency???
The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.
Hmm… according to McAfee, only 1 small political democracy non-profit was a victim. But even if taking McAfee’s conclusion at face value that this represented significant breaches, what does the hacking of political non-profits suggest? Yes – one can speculate that the Chinese government may be behind these attacks; China after all is one of the most favorite targets of attacks by these groups (see, e.g., this Amnesty International Human Rights Report). But one could equally speculate that it is Western multinational companies that did it, given the long animosity between these companies and human rights and pro democracy organizations (see, e.g., here and here and here). And what about those Middle Eastern governments? Why not indict Egypt, Syria, Saudi Arabia, etc.?
After presenting time lines of various attacks, the report concluded:
Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.
This sounds right. As the world becomes more and more connected – every institution, government, non-profit, or for-profit – across every country (China included) – will face ever escalating security threats. As long as there are secrets worth stealing, there will be those who will do the stealing. China is not special. China is the victim, too.
In summary: the report presents some interesting insights into how slow-spread attacks work. Unfortunately it also makes some dubious conclusions based on motives (e.g., “state actor” conclusion) and presents enough of a narrative of fear that resonates with an uncertain West to start a wildfire of articles going attacking China.