China Suspected Of Shady RAT Attacks

Black Hat

10 Massive Security Breaches

Were the recently disclosed Shady RAT attacks launched by people operating for--or on behalf of--China?

Shady RAT--for remote access tool--is the name of the "low and slow" attack detected by McAfee, and detailed in a report it released on Tuesday. According to McAfee, the attack successfully compromised at least 72 organizations, including 22 governmental agencies and contractors, 13 defense contractors, 23 businesses, and think tanks, political nonprofits, and other organizations.

McAfee said that a single entity was behind the attacks. While it declined to name a suspect, it did suggest that a nation state might be the perpetrator. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat," according to the McAfee report.

Experts, however, said there was little doubt who launched Shady RAT. "This just further confirms what we already know, that China is doing these things," Joel Brenner, former senior counsel to the NSA, former head of U.S. counterintelligence under the Director of National Intelligence, and currently of counsel to Cooley LLP, told InformationWeek at the Black Hat conference, a UBM TechWeb event, in Las Vegas on Wednesday.

According to leaked, secret U.S. government cables, China began launching online attacks--dubbed by government officials as "Byzantine Hades"--in 2002, if not earlier. Things came to a head in 2009, however, with evidence that there had been Chinese involvement in the Operation Aurora attacks against Google, amongst other companies. In response to the attacks, and in a direct shot at Chinese authorities, Google stopped censoring Google.cn. Unnamed Chinese officials, however, denied that China was involved.

During its Operation Aurora investigation, Google discovered that there had been at least 30 other organizations attacked. "The vast majority of them had no idea that they were victims, until they got a call from Google," said Alex Stamos, CTO of security consulting company iSEC Partners. (While Google didn't name those companies, a leak of emails from HBGary, as detailed by Kaspersky Lab, said that Adobe, DuPont, Juniper Networks, Northrop Grumman, and Sony were among the compromised organizations.)

Why does it take organizations so long to spot these attacks? "Scale, impact, and source," said Joe Gottleib, president and CEO of security event management vendor SenSage, via email. "A slow-moving attack often falls below the radar because it requires methodical analysis of event data, over a broad landscape, and a long period of time. Cyber-cunning is not just about clever attacks. It's about being patient and slow, where real-time analysis simply won't pick you up."

Without a doubt, spotting APT-driven exploits can be quite difficult, even for sophisticated organizations. For example, at the Black Hat conference, Tony Sager, chief of the NSA's information assurance directorate, told InformationWeek that in the NSA's experience with red teaming the Department of Defense, it can take some time to detect quite low-level attacks and, on occasion, the red team needs to escalate the attacks before they get spotted.

Given that status quo, and as Operation Aurora, Night Dragon, and now Shady RAT attacks illustrate, "the rules of engagement are changing, even between nation states," said Sager.

Furthermore, given the anti-security and anti-establishment efforts of Anonymous, LulzSec, and their "anti-security" ilk, the game now involves more than just nation states. "It's a bit chaotic and anarchic recently," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).