Shady RAT's risk of exaggerated claims

The fight against cyber-espionage deserves hard numbers, not hand-waving

McAfee's talking-up of the threats represented by Operation Shady RAT supports a convenient narrative, but how much do we accurately know about the unidentified enemy or enemies? Not a lot, I'd wager.

When McAfee published their white paper Revealed: Operation Shady RAT (PDF) early this month, the core message was clear. Traditional credit-card-stealing cybercrims were a threat, yes, but a containable one. Hackers with a political or economic focus were a far greater menace.

"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth," the white paper said.

"Closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."

The author of those words, McAfee's vice president of threat research Dmitri Alperovitch, was certainly keen to emphasise the risks when he toured Australia last week.

"Economic espionage and political espionage that we've been seeing for the last five or six years is much more insidious, much more serious, and may perhaps be an existential threat to our economies," he told CSO Online. Billions of dollars, it could cost us.

"And we're talking about national security-related information," he said.

Goodness me.

There were plenty of supporting messages too. At least qualitative one.

Attackers can be well-organised. Some of them have motivations other than short-term financial gain. Smaller organisations can be targeted, either in their own right or as a stepping stone. A small law firm for example, might know the details of a major international resources deal. Attacks can be highly personalised and difficult to detect. However many targets were breached using relatively simple tools. Most targets were completely unaware they'd been compromised, often for years.

While those messages aren't new, they're well worth repeating.

But where are the quantitative messages? The hard numbers?

How big is this force of bad guys, for example?

"Thousands, perhaps tens of thousands," Alperovitch said. You've got numerous actors involved here. People to write malware, people to do the reconnaissance and identify the individuals to be targets, operators for the remote access tools (RATs) used to control the hacked computers, people to exfiltrate the data, people to analyse the data and make use of it...

"It's a big intelligence operation," he said.

And a highly-structured one?

"Well, we don't really know, but one would suspect that the scale and magnitude on which this is occurring that there has to be some structure to it," Alperovitch said.

We also suspect this kind of espionage has been growing.

But note that word. Suspect. "Thousands, perhaps tens of thousands" and "billions of dollars" and "existential threat" are all just hand-waving.

Existential threats are rather convenient, of course. That's the stuff national governments pay to deal with, not commercial industries. If there's a government budget labelled "cyber-espionage" then rest assured, investigators will find evidence of cyber-espionage, and lots of it.

To put it more kindly for McAfee's sake, the Shady RAT report is fine as far as it goes. But we're only at the very beginning of understanding the scale and nature of the threat.

So far we know the scale is "big" and the nature of the threat is "complex", but surely responsible policy-making demands better facts. Especially if we're going to wave the national security flag and introduce tough new laws.

We certainly have to move beyond the situation where, for example, Australia's Attorney-General Robert McClelland can recycle the factoid that "cybercrime has overtaken the drug trade as the most profitable form of crime in the world" when it was exposed as bunkum two years ago.

We need, in short, more and better research. Just like we do for traditional cybercrime.

More articles written by Stilgherrian:

Inquiry picks holes in government Cybercrime Bill

Could Google pull an Apple on Motorola hardware?

Join the CSO newsletter!

Error: Please check your email address.

Tags Australia's Attorney-General Robert McClellandhackersShady RATSCADAmcafeecybercrimes

More about AppleAttorney-GeneralGoogleMcAfee AustraliaMotorola

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts