Shady RAT firms didn't want us to know
McAfee threat research vice president Dmitri Alperovitch has said that his investigation and report (PDF) into the global hacking operation codenamed Shady RAT was not about demonstrating hacker sophistication, but more a push for laws to mandate the notification of data breaches, something the companies involved were loath to do.
(Banksy Stencil — Rats with weapons image by Justin Goring, CC BY-SA 2.0)
Operation Shady RAT was a five-year targeted operation that involved over 72 victims around the world, and achieved attention in the media for its indirect accusation that China was behind the attacks. However, it also brought about claims by other security organisations, including rival Symantec, that the attacks weren't all that sophisticated.
Yet Alperovitch told ZDNet Australia that the real reason for the report wasn't to demonstrate how smart hackers were — their sloppiness at leaving logs on the command and control server was evidence that they weren't — but to highlight how unwilling companies were to disclose when their systems had been breached.
"We had the list of all the names, all the victims. We released just a few because we went to many of these companies and asked, 'Would you be OK with us releasing your name?' and virtually every single one of them said 'Hell no!' Even government agencies said, 'Absolutely not! You're not going to name me are you?'" he said.
"Out of those victims, not a single one has come forward. You have probably government systems, banking systems, major companies compromised."
Alperovitch said that the silence from both government and private organisations demonstrated the importance for data breach notification laws.
"I think that's extremely important for the public to understand, for the policy makers to understand the extent of this problem. That was the whole reason we put out Shady RAT — to educate the population, to educate the policy makers on the extent of these breaches."
Australia has been waiting for data breach notification laws since a privacy review was conducted in 2008. Despite related privacy legislation being brought forward for examination, attorneys-general from other countries have been urging Australia to make data breach laws a priority. Meanwhile, the Australian privacy commissioner has shown support for prioritising the laws, but the Attorney-General's Department has stated that data breach notification legislation will have to wait its turn.