McAfee Shady RAT report ‘alarmist’ and ‘unfounded’: Eugene Kaspersky

Kaspersky Lab founder and CEO Eugene Kaspersky has criticised McAfee’s recent Shady RAT report, calling many of the findings unfounded and accusing the firm of deliberately spreading misrepresented information.

CEO Eugene Kaspersky

Earlier this month McAfee announced it had uncovered a massive global cyber spying operation, which targeted several US government departments, the UN and other governments and corporations across the world in attacks that dated back five years or more.

Victims of the snooping campaign include: governments of Canada, India, South Korea, Taiwan, the US and Vietnam; international bodies such as the UN, the Association of Southeast Asian Nations (ASEAN), the International Olympic Committee, the World Anti-Doping Agency; 12 US defence contractors, one UK defence contractor; and companies in construction, energy, steel, solar power, technology, satellite communications, accounting and media, according to reports.

McAfee dubbed it Operation Shady RAT, with RAT standing for Remote Access Tool. "This is the biggest transfer of wealth in terms of intellectual property in history," said McAfee vice-president of Threat Research Dmitri Alperovitch.

Eugene Kaspersky was not impressed with the findings. On his blog he wrote: "We do not share the concerns surrounding the intrusion described in the report, which the report claims has resulted in the theft of sensitive information of multiple governments, corporations and non-profit organisations."

"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch," he continued.

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level. Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information."

Kaspersky went on to say threats such as TDSS, Zeus, Conficker, Bredolab, Stuxnet, Sinowal and Rustock pose a much bigger risk to businesses and governments. He added that infection by the malware involved in Operation Shady RAT could have been avoided by using many commercially-available antivirus products.

McAfee also claimed it was likely a single state was behind the attacks, although it didn’t name one (that was left to analysts, who suggested China was behind the attacks). Kaspersky also criticised this aspect.

"It looks overwhelmingly likely that no state is behind the Shady RAT botnet," he wrote. "How the botnet operates and the way the related malware is designed reveals startling fundamental defects hardly indicative of a well-funded cyber-attack backed up by a nation state."

"Even if an "evil" state were to decide to launch a targeted attack, it could buy much more sophisticated malware for just $2,000 – $3,000. And most certainly the evil state wouldn’t use the same command and control server for five years, and then keep it operating after it was revealed in the world media that it had been exposed – allowing security researchers to conduct in-depth analysis of the botnet," he added.

A number of other security experts have also questions McAfee’s findings. Graham Cluley of rival security firm Sophos said the industry should wait before proclaiming this the biggest cyber-attack of all time What the report doesn’t make clear is what information was stolen from the targeted organisations, and how many computers at each business were affected," he wrote on his blog.

"I can’t help but feel that we can’t call "Operation Shady RAT" (McAfee’s name, by the way) the biggest ever cyber-attack without having questions like those answered," Cluley added.

Symantec said its findings confirm that the victims ranged from government agencies to private companies. However, it added that no country could be held responsible for the attack.

The company said: "There has been some discussion of this being a government-sponsored attack. However, the finger can’t be pointed at any particular government. Not only are the victims located in various places around the globe, so too are the servers involved in these attacks."

"While this attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organisations in a similar manner in order to gain entry and pilfer secrets," Symantec’s Hon Lau continued. "Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case."

We’ve asked McAfee for a response to these accusations but had not received one at the time of going to press.

Listen to an exclusive CBR podcast with Eugene Kaspersky on our multimedia site, CBRTV.

Type: White Paper


  • Favorite list is empty.
FavoriteLoadingClear favorites

Your favorite posts saved to your browsers cookies. If you clear cookies also favorite posts will be deleted.