Shady RAT's risk of exaggerated claims
- 24 August, 2011 06:00
McAfee's talking-up of the threats represented by Operation Shady RAT supports a convenient narrative, but how much do we accurately know about the unidentified enemy or enemies? Not a lot, I'd wager.
When McAfee published their white paper Revealed: Operation Shady RAT (PDF) early this month, the core message was clear. Traditional credit-card-stealing cybercrims were a threat, yes, but a containable one. Hackers with a political or economic focus were a far greater menace.
"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth," the white paper said.
"Closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries."
The author of those words, McAfee's vice president of threat research Dmitri Alperovitch, was certainly keen to emphasise the risks when he toured Australia last week.
"Economic espionage and political espionage that we've been seeing for the last five or six years is much more insidious, much more serious, and may perhaps be an existential threat to our economies," he told CSO Online. Billions of dollars, it could cost us.
"And we're talking about national security-related information," he said.
There were plenty of supporting messages too. At least qualitative one.
Attackers can be well-organised. Some of them have motivations other than short-term financial gain. Smaller organisations can be targeted, either in their own right or as a stepping stone. A small law firm for example, might know the details of a major international resources deal. Attacks can be highly personalised and difficult to detect. However many targets were breached using relatively simple tools. Most targets were completely unaware they'd been compromised, often for years.
While those messages aren't new, they're well worth repeating.
But where are the quantitative messages? The hard numbers?
How big is this force of bad guys, for example?
"Thousands, perhaps tens of thousands," Alperovitch said. You've got numerous actors involved here. People to write malware, people to do the reconnaissance and identify the individuals to be targets, operators for the remote access tools (RATs) used to control the hacked computers, people to exfiltrate the data, people to analyse the data and make use of it...
"It's a big intelligence operation," he said.
And a highly-structured one?
"Well, we don't really know, but one would suspect that the scale and magnitude on which this is occurring that there has to be some structure to it," Alperovitch said.
We also suspect this kind of espionage has been growing.
But note that word. Suspect. "Thousands, perhaps tens of thousands" and "billions of dollars" and "existential threat" are all just hand-waving.
Existential threats are rather convenient, of course. That's the stuff national governments pay to deal with, not commercial industries. If there's a government budget labelled "cyber-espionage" then rest assured, investigators will find evidence of cyber-espionage, and lots of it.
To put it more kindly for McAfee's sake, the Shady RAT report is fine as far as it goes. But we're only at the very beginning of understanding the scale and nature of the threat.
So far we know the scale is "big" and the nature of the threat is "complex", but surely responsible policy-making demands better facts. Especially if we're going to wave the national security flag and introduce tough new laws.
We certainly have to move beyond the situation where, for example, Australia's Attorney-General Robert McClelland can recycle the factoid that "cybercrime has overtaken the drug trade as the most profitable form of crime in the world" when it was exposed as bunkum two years ago.
We need, in short, more and better research. Just like we do for traditional cybercrime.
More articles written by Stilgherrian: