Shady Rat not scariest
By Techgirl

On Aug 4, 2011, my colleague Sumir Singh wrote an article based on the online security giant McAfee’s investigation into what was dubbed as the most serious and successful hacking operation so far.  (Article republished below).  India was one of the prime targets of Operation Shady Rat.

The world media lapped up the McAfee research about one of the greatest hacking attacks ever.  In India, every major media house including Times, CNN IBN, NDTV, Hindu and others published the McAfee research. 

Now, McAfee business rival Symantec has published proof that while the ‘Shady Rat’ hacking was serious, it was hyped up and wrongly presented as a new benchmark in hacking.  The Symantec report says

“
While this attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets. While there is a need for information, there will always be those ready to supply it. We may not always know the true motivations and identities of those behind these attacks, but we can work to exploit mistakes they make in order to get a better view of what they are doing and bring us one step closer to tracking them down.

Going back to my earlier question, is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them.
“

Have the Bollywood and Hollywood PR machines now taught their tricks to the tech industry?

(Techgoss had published the following on Aug 4, 2011)

Shady Rat hacked India
By Sumir Singh

Online Security giant McAfee’s Dmitri Alperovitch has released their report on what is characterized as an unprecedented high level hacking operation dubbed ‘Shady Rat’ geared to steal IP, Trade and Government secrets.  The report alludes to the fact that a Government was behind this concerted hacking.  The victims were specifically targeted and included Olympic Associations, American military companies, World Anti Doping Agency, a New York based media giant and even the Government of India.

“
McAfee has gained access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises. The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

Another fascinating aspect that the logs have revealed to us has been the changing tasking orders of the perpetrators as the years have gone by. In 2006, the year that the logs begin, we saw only eight intrusions: two on South Korean steel and construction companies, and one each on a South Korean Government agency, a Department of Energy Research Laboratory, a U.S. real-estate firm, international trade organizations of an Asian and Western nations and the ASEAN Secretariat. (That last intrusion began in October, a month prior to the organization’s annual summit in Singapore, and continued for another 10 months.) In 2007, the pace of activity jumped by a whopping 260 percent to a total of 29 victim organizations. That year we began to see new compromises of no fewer than four U.S. defense contractors, Vietnam’s government-owned technology company, US federal government agency, several U.S. state and county governments, and one computer network security company. The compromises of the Olympic Committees of two nations in Asia and one Western country began that year as well. In 2008, the count went up further to 36 victims, including the United Nations and the World Anti-Doping Agency, and to 38 in 2009. Then the number of intrusions fell to 17 in 2010 and to 9 in 2011, likely due to the widespread availability of the countermeasures for the specific intrusion indicators used by this specific actor. These measures caused the perpetrator to adapt and increasingly employ a new set of implant families and command & control infrastructure (and causing activity to disappear from the logs we have analyzed). Even news media was not immune to the targeting, with one major U.S. news organization compromised at its New York Headquarters and Hong Kong Bureau for more than 21 months.

In all, we identified 72 compromised parties (many more were present in the logs but without sufficient information to accurately identify them).

…
“