Shady RAT Is Not a Botnet

Eugene Kaspersky has weighed in this week on Shady RAT, criticizing McAfee for exposing an operation that attacked a wide range of companies, governments, and nonprofit organizations across 14 countries and numerous sectors of the economy. Among other things, Kaspersky says he doesn’t believe it was a sophisticated attack and that our approach is alarmist. He’s missing the point.

McAfee exposed Operation Shady RAT, a massive case of espionage and wealth transfer. The intellectual property and confidential information of companies and agencies worldwide has been stolen by a single adversary over a 5+ year period. This attack was exposed so honest global communities can be aware of the urgency of cross-sector cyberresiliency. The cyberadversaries are agile and fast and disregard the law. They share information with ease and they execute their will upon companies, markets, and potentially entire economies. We lack the alacrity to defend against this threat without public-private collaboration, which begins with global awareness–the very thing we must promote to protect our way of life. It is unfortunate that Mr. Kaspersky takes issue with providing information to the public.

Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention? It doesn’t matter how sophisticated the attack is if it results in material loss. If a bank robber gets $100 million by walking in the front door with a gun, it’s news–not because the attack is novel, but because of its effectiveness. It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.

Speaking of technical arguments, apparently Mr. Kaspersky has gotten it in his head that Shady RAT is a botnet. Really? Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused. In this case, the APT should be really be called an SPT (Successful Persistent Threat). It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary. Quiet, insidious, market-changing threats like these hide in the noise of botnets, “hacks,” and other high-profile or nuisance events.

We invite critics to join with McAfee and our greater global community and focus on what we can do collectively to keep organizations safe from these types of attacks, prosecute and lower the profit model for the adversaries, and to protect our critical infrastructures and way of life worldwide.