Operation Shady RAT

McAfee revealed a 5 year cyber-espionage campaign it called “Shady Rat” which it claims have affected upto 72 organisations in 14 countries. Organisations affected by the Shady Rat are said to have lost emails, design plans, strategy documents etc. McAfee reports that this is a hack of unprecedented propotions and that advanced persistent threats are to blame.

 


McAfee realised the wide ranging array of companies victimised by gaining access to the command and control server from where the attacks were supposedly launched. So, how does a company find out if it has been a victim of the Shady Rat? A tool called the “Shady Rat Checker” has been released by “Seculert” which checks to see if your IP figures in the log of the command and control server.

 

Some of the highlights of the expose were:

 

– The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.

 

– What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics

 

– This is not a new attack, and the vast majority of the victims have long since remediated these specific infections (although whether most realized the seriousness of the intrusion or simply cleaned up the infected machine without further analysis into the data loss is an open question).

 

– The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit, when opened, on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the C&C web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

 

– The shortest time that an organization remained compromised was less than a single month.

 

– The longest compromise was recorded at an Olympic Committee of a nation in Asia; it lasted on and off for 28 months, finally terminating in January 2010.

 

Also read Symantec’s rejoinder.