Skip to content

Bit9

← Back to Blog
5 Aug 2011

Shady RAT: Why all roads lead to Beijing

Harry Sverdlove

Making headlines this week was McAfee’s report on a wide scale cyber attack on at least 72 different organizations across the globe over a period of at least 5 years. They have dubbed this attack Operation Shady RAT (for “Remote Access Tool”). Briefly reviewing the facts:

  • All of the attacks analyzed by McAfee came from a single machine that was used as a CnC (Command & Control) server. Therefore, we can assume the same person or organization was behind these attacks.
  • All of the victims were specifically targeted through spear phishing campaigns, where an email was sent to specific individuals containing a malicious payload. This was not a random or broad spectrum campaign; the targets were hand-picked.
  • Once a target was infiltrated, a human being at the other end of the CnC server issued commands to the compromised systems. It was not simply an automated virus or worm – the attacker(s) manually controlled the behavior and the data exfiltration process.
  • While most targets were based in the United States, other countries were also attacked, including government organizations within Canada, India, South Korea, Vietnam and Taiwan. If we assume a government is unlikely to attack itself, the list of potential countries behind Shady RAT is rather narrow.
  • The targets spanned the gamut in terms of organizational category, including government, energy, manufacturing, real estate, security and information technology, non-profit think tanks, and even the International Olympic Committee (IOC) and the World Anti-Doping Agency.
  • According to Joe Stewart of Dell SecureWorks, the attacks used the HTran tool as part of its camouflaging. HTran was developed by a Chinese hacker believed to be loyal to the People’s Republic of China. (Note: HTran was also used in the RSA security breach.)

In the report, McAfee suggests that the attacker was a state actor (read: nation state), but it does not name the nation. Various security professionals, including myself, have come out and said that the attacker was either directly working for, or supported by, China. Rather unsurprisingly, China, through its official People’s Daily newspaper, has denied it was involved and has called any such accusations “irresponsible.”

As I’ve said before, it is important to identify your attackers so you can have an honest and open discussion about how to best defend and respond to such attacks. If we keep hiding behind the nebulous monikers “nation state” and “state actor,” as if some mysterious unnamed boogeyman is targeting our most sensitive data, our success will be limited.

I could write a book explaining the rationale behind identifying China, or the Chinese government, by name, detailing a pattern of Chinese cyber (and physical) espionage that dates back over a decade, and explaining the motivations behind a nation whose economic and global position depends on the theft of intellectual property (IP). There is enough evidence that even the O.J. Simpson jury would convict if this were a criminal trial.

Aside from the compelling inferences of the facts I listed above, consider one of the most important tools used in law enforcement: Victimology.

By analyzing the victims of Shady RAT – their characteristics, locations, and the information they contain – we can better understand the attacker. What do the targets have in common? How does the attacker choose the targets? What information are they seeking? What gain can be made from that information?

The commercial enterprises that fell victim to Shady RAT all contain some form of intellectual property, be it plans for a communications satellite or energy creation or computer security. Were it just one specific vertical, we might infer the attacker is an industry competitor. But this was corporate espionage on a global scale. Only a government or a state-sponsored entity has the wherewithal to take advantage of such a broad spectrum of data. Furthermore, the suspect set is restricted to countries where the government is in tight control of their economies and private sector, so they can use the stolen information to advanced their economic standing.

At least a half of a dozen government entities were also attacked. These are organizations that contain political and military secrets. Likely parties that would want such information again point to nation states, or perhaps terrorist organizations. Given the breadth of governments, and the organizational skill required to spear phish each of them, I think we can safely rule out rogue terrorist groups. We can also rule out any of the governments victimized, unless you are conspiracy theorist who believes governments attack themselves to throw off suspicion. The governments attacked were First World countries within North America and Europe, and a swath of countries across South East Asia. While Russia has been thought to be involved in past cyber incidents, it is telling that no Eastern European countries were targeted.

Lastly, there is this seemingly bizarre insertion of victims within non-profit organizations, Olympic committees, and economic and political think tanks. It’s not that bizarre when you consider the value information can be to enhance geo-political influence. Even if the data from most of these organizations is going to be made public, a few weeks advance notice can give you an edge on world currencies, trade negotiations, or political posturing. Were the targets only economic think tanks, a sufficiently organized criminal enterprise might be the attacker, but given the breadth, only a nation could truly benefit from such data. As far as the International Olympic Committee and World Anti-Doping Agency, those attacks occurred just prior to and immediately after the 2008 Summer Olympics. Hmmm, did I mention those were hosted in Beijing, China? Might be probative, I don’t know.

People may accuse me of just trying to make noise, but I truly believe it is important to not stick our heads in the sand when it comes to security. The evidence is compelling and the victimology is telling. The Chinese government is either directly or indirectly behind Operation Shady RAT.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US