Security vendor McAfee earlier this week revealed Operation Shady Rat, a long-running series of network intrusions and acts of data theft that preyed on organizations all over the world. However, the revelation of Shady Rat came as little surprise to some in the security community.
“This is simply the latest example of something we recognized around 2001 and have been advising our clients about,” Jonathan Gossels, president of SystemExperts, told TechNewsWorld.
The security community has known about this kind of spear-phishing attack for some time, said David Harley, senior research fellow at ESET.
“We talked about it in a book I edited and co-wrote in 2007, and it wasn’t new then,” he added. The book is the Avien Malware Defense Guide for the Enterprise.
“The threat is absolutely real and serious, and McAfee has been aware of it for many years, as have many others,” Dmitri Alperovitch, vice president of threat research at McAfee, told TechNewsWorld.
However, many investigations are not disclosed publicly because they’re governed by non-disclosure agreements (NDAs) that are put into place, Alperovitch said.
Why Expose the Rat Now?
If investigations are governed by NDAs, how is it that McAfee can talk about Operation Shady Rat openly?
“Shady Rat was a unique situation where we were able to get information about the victims that was received outside of the process which would have been covered by the NDA,” Alperovitch explained.
McAfee got the information from logs on a criminal command and control server it had penetrated on its own.
Perhaps the public exposure of Shady Rat was a marketing ploy.
Most security work is done in private. “McAfee, however, decided to go public with this, so we can assume they were looking to establish a thought leadership position and grab some public relations benefits,” SystemExperts’ Gossels opined.
McAfee has worked with law enforcement and various government agencies across the United States and abroad to keep them apprised of Shady Rat, Alperovitch said.
However, the right solution might entail taking a more sweeping approach.
“Focusing specifically on a response to Shady Rat would not be the best response to these revelations,” Richard Wang, a manager at SophosLabs U.S., told TechNewsWorld. “A better solution would be to improve security generally.”
Enterprises should ensure that their defenses are in place and up to date, and that they’re monitored regularly, Wang said.
“Remember, these attacks are intentionally stealthy,” SystemExperts’s Gossels pointed out.
Systematic log analysis coupled with deploying systems from a master build that has been rigorously tested to assure its integrity are essential practices, but “user security awareness training is key,” Gossels said.
“The best security practices can be easily subverted by a user inadvertently downloading malware or keystroke loggers when visiting a social networking site,” Gossels explained.
That is, in fact, how security firm RSA got hacked in April. Employees clicked on a spreadsheet containing a zero-day exploit that was attached to an email purporting to be about the company’s 2011 recruitment plan.
It Takes a Global Village to Fight the Rat
Combating Shady Rat requires a coordinated effort, McAfee contends.
“We believe this is ultimately a political problem that needs to be raised to the highest levels in our government,” Alperovitch stated. “Ultimately this activity presents such an existential problem to our economic security … that it needs to be raised in bilateral and multilateral conversations with our adversaries using a carrot and stick diplomatic approach.”
There are national responses in Europe and the United States going back into the early 2000s to the theft of data from, and intrusion into, IT systems by hackers, ESET’s Harley said.
It’s likely that the Obama administration’s Comprehensive National Cybersecurity Initiative had Shady Rat in mind when it referred to cybercrime and related threats, ESET’s Harley opined.
However, such national or coordinated responses may not be the answer.
“The attacks are quite fragmented, so defensive measures also have to be fragmented and multi-layered,” Harley said.
“Everyone will have to fend for themselves as all networks are set up slightly differently, and most poorly, I might add,” grumped SystemExperts’ Gossels.
“A nationwide, or better yet, global effort to improve cybersecurity would be welcome, but at the end of the day, no one is going to come and secure your network for you,” SophosLabs’ Wang pointed out. “That is a task that each organization holding valuable data must take responsibility for.”