CybersecurityCyber experts dispute McAfee's Shady RAT report

Published 22 August 2011

Earlier this month, cybersecurity experts discovered a five-year operation that infiltrated U.S. government and UN computer networks; China is believed to be the culprit behind the systematic attacks, dubbed “Operation Shady RAT,” which also hit major defense contractors and private businesses; many within the cybersecurity community are disputing the significance of the finding

Shady RAT was reputedly born and raised in China // Source: theblaze.com

Earlier this month, cybersecurity experts discovered a five-year operation that infiltrated U.S. government and UN computer networks, but many within the cybersecurity community are disputing the significance of the finding.

China is believed to be the culprit behind the systematic attacks, dubbed “Operation Shady RAT,” which also hit major defense contractors and private businesses. In a surprise move McAfee discovered the attacks rather than government or military computer analysts and government officials are now investigating the matter.

“We obviously will evaluate it and look at it and pursue what needs to be pursued,” said DHS Secretary Janet Napolitano. 

Dmitri Alperovitch, McAfee’s vice president of threat research, said the company was surprised by how many different computer networks had been hacked.

“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch said.

Details of the report remain vague, but it did claim that the attacks came from a single source, widely thought to be China. The report also did not name most of the seventy-two victims, but did say forty-nine of them were American.

Since the report’s release earlier this month, it has generated fierce criticism from within the cybersecurity community with many calling it “alarmist.” In a blog post, Eugene Kaspersky, the head of Kaspersky Lab and nicknamed the “Virus Pope,” contradicted McAfee’s findings.

“We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch,” Kaspersky wrote.

He went on to say, “[W]e cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information.”

Kaspersky along with several other researchers said that Operation Shady RAT was not a sophisticated attack and should it have been widely reported.

Some of the more insidious intrusions take place without the general public becoming aware of them,” Kaspersky responded. “What’s more, they can go undetected for some time before being discovered by the IT security industry, and this is likely to continue due to the nature of the architecture of modern software and the Internet.”

However, regarding Shady RAT,” he added, “the IT security industry did know about this botnet, but decided not to ring any alarm bells due to its very low proliferation — as confirmed by our cloud-based cyberthreat monitoring system and by other security vendors. It has never been on the list of the most widespread threats.”

Hon Lau, a cybersecurity researcher with Symantec, also questioned the sophistication of the attackers calling their techniques sloppy, while Joe Stewart, the director of malware for Dell Secure Works, noted that Shady RAT’s code “is actually less sophisticated than general malware the public sees.”