Shady RAT not so sophisticated: Symantec

Symantec has conducted its own investigation into the global hacking operation that McAfee has dubbed Operation Shady RAT, and called into question whether the attacks were really all that sophisticated.

(Banksy Stencil — Rats with weapons image by Justin Goring, CC BY-SA 2.0)

McAfee's report on the attack (PDF), released earlier this week, claimed that "every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised". It followed a five-year targeted operation it dubbed Operation Shady RAT, which involved over 72 parties around the world.

Building on top of McAfee's report, Symantec's investigation, written by Hon Lau on the security company's blog, explains how organisations were initially targeted, using emails with attachments that contained exploit code. The attachments seemed typically harmless, being Word, Excel, PowerPoint and PDF documents; however, when opened on unpatched systems, it dropped a trojan at the same time as displaying the expected document.

The trojan itself downloaded images and HTML pages from remote sites, which seemed innocent enough, but according to Lau, actually contained hidden or encrypted instructions that allowed it to contact the command and control server and let attackers know it has compromised its target.

While this level of infiltration might seem highly sophisticated, McAfee noted in its report that "this is not a new attack". Lau stated that "while this attack is indeed significant, it is one of many similar attacks taking place daily". In fact, Lau has raised the question of whether the hackers were really all that sophisticated to begin with.

"Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn't, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there.

"The attackers not only failed to secure their server properly, they had also installed various web traffic analysis tools on it too," he wrote. "For example, on one of the sites, we were able to see the statistics about computers contacting the command and control server to download command files."

It appears that these are the same logs that McAfee gained access to and used to map out the extent of the operation's reach. From the victims involved, McAfee suggested that a state-nation is responsible for the attack. While it didn't name names, speculation was rife that China was behind the operation.

"The media have leaped to the conclusion, with a nudge and a wink, that it simply must be China," Sophos senior technology consultant Graham Cluley wrote on his blog, but he also said punters shouldn't be so naive.

"I'm sure China does use the internet to spy on other countries. But I'm equally sure that just about every country around the world is using the internet to spy. Why wouldn't they? It's not very hard, and it's certainly cost effective compared to other types of espionage."

From Symantec's point of view, the logs don't provide enough information to determine what type of data the attackers were targeting or the motive behind it.

"The finger can't be pointed at any particular government," Lau wrote. "Not only are the victims located in various places around the globe, so too are the servers involved in these attacks."