Waiting on Revisions: Operation Shady Rat Shouldn't Have Been a Surprise

Sue Marquette Poremba

By now, you probably heard the big news from the Black Hat conference: McAfee's revelation of called "Operation Shady Rat." The McAfee blog pointed out:

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth?-?closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

The length and nature of this attack obviously has a lot of people worried and debating over what steps could have prevented or alerted people to the attack earlier. Addressing that thought, Bill Roth, CMO of LogLogic, said in an email statement:

The Shady Rat incident shows just how sophisticated the bad guys are becoming. We, in the security community, need to constantly test our assumptions about the nature of our systems and networks. Shady RAT shows that Advanced Persistent Threats are not just a clear and present danger, but that they take advantage of the notion of the duration of a normal attack. Attacks are now perpetrated by people with large amounts of resources and time, indicating the need for systems that can retain and manage data for a long period of time.

Apparently, a number of people are pointing the finger at China, and at least one person has raised the idea that we should have been watching China a lot more closely. In a June 4 blog post, Harry Sverdlove of Bit9 wrote:

The FBI is being tasked to investigate Google's recent claim that attacks on the gmail accounts of senior government officials, and hundreds of others, originated from Jinan, China. This is the same location identified in the highly publicized and sophisticated Aurora attacks that hit Google, Adobe, Intel and others in late 2009. Jinan is the home of the Lanxiang vocational school, which reportedly has military links . . . Both civilian and public institutions are under constant cyber attack from China, and the organizations being attacked are more often than not able to trace the sources. But officially, few are willing to go on record with this information. It is ironic that China is trying to hide and censor the result of Google searches while Google is trying to reveal the source of breaches.

According to PC World, McAfee reported 72 organizations worldwide were hacked. The article stated:

So how would a company find out if they were affected? It might be hard. But a security vendor has built a Web-based tool called the Shady Rat checker that went live on Friday. It checks to see if the IP address of the computer you are using is listed in the Shady Rat server logs.
A positive result means that a particular computer has communicated with the Shady Rat command-and-control server, said Aviv Raff, CTO and co-founder of Seculert, a company that has a cloud-based service used to detect malware and other cyberthreats.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.