Analysis of McAfee’s Operation Shady RAT Report and highlights

Tis Blackhat & Defcon, so follows are my thoughts …
McAfee released yesterday their Operation Shady RAT paper.  It focuses on data captured from a command and control server that had logs over a 6 year period.  They go into nice detail breaking down the attacks; timeframe; and elude to the motivations of the (single) attacker.  What does this mean for organizations and safeguarding information.  I think this paragraph articles the value crisply:

“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

Interesting details:

“…key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification…”

<– As we have progressed from freelance and curious to now the motivation has changed, but so has the economic model.  These attackers were concerned with the long term and therefore were financed for the long haul too.  This is a key assumption of the threat landscape that must change from prior models.  The fun days of watching attack patterns change with the annual summer school break and DefCon are over.  Businesses and models must change accordingly.

Interesting … the 14 geographic regions listed are missing one particular nation…

The description of the organizations that were breached and captured in these logs certainly is across the board.  Given the author’s mention that virtually all organization’s have been breached based on his insight it is hard to look at the list hoping to not be on the list – everyone is ..  What is interesting to me is the continued deep penetration at what I term ‘Infrastructure Level Attacks”.  Systemic attacks designed to bypass the base assumptions and safeguards – such as the encryption certificates; tokens of the 2-factor authentication; the cellphone and voicemail systems; and (as highlighted here) Communications technology company, international trade organizations that are privy to competitive information, satellite operators, and defense contractors (perhaps creating the opportunity for the recent influx of malicious control chips shipped out of China).

There have been a rich number of papers produced over the past few years that present and provide greater information on this threat.  I would encourage reading these intelligence reports as time permits.  A good site that continually has actionable information is here.

A short note on the flurry of posts and messages:

It’s Blackhat and Defcon week which means copious amounts of reports, presentations, and sometimes seismic events within the information security and intelligence space.  As interesting bits come to my attention I am posting them via twitter, and will try and post any excerpts that catch my eye.  I strongly encourage reading the full presentations and research papers.  Massive efforts went into these works, and it is now our opportunity to apply that knowledge appropriately.  I do look forward to others sharing their opinion, research, and links.

Other thoughts?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s