Shady RAT Is Not a Botnet

Eugene Kaspersky has weighed in this week on Shady RAT, criticizing McAfee for exposing an operation that attacked a wide range of companies, governments, and nonprofit organizations across 14 countries and numerous sectors of the economy. Among other things, Kaspersky says he doesn’t believe it was a sophisticated attack and that our approach is alarmist. He’s missing the point.

McAfee exposed Operation Shady RAT, a massive case of espionage and wealth transfer. The intellectual property and confidential information of companies and agencies worldwide has been stolen by a single adversary over a 5+ year period. This attack was exposed so honest global communities can be aware of the urgency of cross-sector cyberresiliency. The cyberadversaries are agile and fast and disregard the law. They share information with ease and they execute their will upon companies, markets, and potentially entire economies. We lack the alacrity to defend against this threat without public-private collaboration, which begins with global awareness–the very thing we must promote to protect our way of life. It is unfortunate that Mr. Kaspersky takes issue with providing information to the public.

Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention? It doesn’t matter how sophisticated the attack is if it results in material loss. If a bank robber gets $100 million by walking in the front door with a gun, it’s news–not because the attack is novel, but because of its effectiveness. It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.

Speaking of technical arguments, apparently Mr. Kaspersky has gotten it in his head that Shady RAT is a botnet. Really? Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused. In this case, the APT should be really be called an SPT (Successful Persistent Threat). It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary. Quiet, insidious, market-changing threats like these hide in the noise of botnets, “hacks,” and other high-profile or nuisance events.

We invite critics to join with McAfee and our greater global community and focus on what we can do collectively to keep organizations safe from these types of attacks, prosecute and lower the profit model for the adversaries, and to protect our critical infrastructures and way of life worldwide.

Feds Tackle Sports-Streaming Pirate Sites

The U.S. government seized 10 domains connected to broadcasting professional sports Wednesday as part of a widespread crackdown on internet piracy.

The court-ordered seizures, as part of the government’s Operation in Our Sites, are aimed at web sites that sell counterfeited goods, as well as sites that facilitate illegal music, film and broadcast piracy. The move comes days before one of the world’s biggest sporting events, the Super Bowl this Sunday.

“The illegal streaming of professional sporting events over the internet deals a financial body blow to the leagues and broadcasters who are forced to pass their losses off to fans by raising prices for tickets and pay-per-view events,” Preet Bharara, Manhattan U.S. attorney, said in a statement. (The U.S. attorney failed to mention multi-million-dollar athlete contracts.)

The seized sites are: atdhe.net, channelsurfing.net, hq-streams.net, hq-streams.com, firstrow.net, ilemi.com, iilemi.com, iilemii.com, rojadirecta.org and rojadirecta.com.

The domains often are not given notice of the seizure, but they may challenge it in federal court. The U.S. government has jurisdiction over so-called top-level domains, like .com, .org and .net. Many of the shuttered sites display a graphic with images from the Justice Department, Immigration and Customs Enforcement and the National Intellectual Property Rights Coordination Center.

At least one of the domains is already up and running again under a new name: athe.me, which is out of the United States’ reach. ”Our domain ATDHE.NET has been seized today (01/02/11). We are now using www.ATDHE.me but don’t be alarmed, we will do our best to bring you back everything. Please use the links below to stream your live sports for now,” the site told sports enthusiasts Wednesday.

In November, the federal government targeted about 80 web sites, many that bartered in counterfeited goods like scarves and golfing gear. In June, when the seizure program was announced, the government took down seven sites that distributed pirated motion pictures.

See Also: