Shady RAT firms didn't want us to know

Shady RAT firms didn't want us to know

Summary: McAfee threat research vice president Dmitri Alperovitch has said that his investigation and report into the global hacking operation codenamed Shady RAT was not about demonstrating hacker sophistication, but more a push for laws to mandate the notification of data breaches, something the companies involved were loath to do.

SHARE:
TOPICS: Security, Symantec
1

McAfee threat research vice president Dmitri Alperovitch has said that his investigation and report (PDF) into the global hacking operation codenamed Shady RAT was not about demonstrating hacker sophistication, but more a push for laws to mandate the notification of data breaches, something the companies involved were loath to do.

(Banksy Stencil — Rats with weapons image by Justin Goring, CC BY-SA 2.0)

Operation Shady RAT was a five-year targeted operation that involved over 72 victims around the world, and achieved attention in the media for its indirect accusation that China was behind the attacks. However, it also brought about claims by other security organisations, including rival Symantec, that the attacks weren't all that sophisticated.

Yet Alperovitch told ZDNet Australia that the real reason for the report wasn't to demonstrate how smart hackers were — their sloppiness at leaving logs on the command and control server was evidence that they weren't — but to highlight how unwilling companies were to disclose when their systems had been breached.

"We had the list of all the names, all the victims. We released just a few because we went to many of these companies and asked, 'Would you be OK with us releasing your name?' and virtually every single one of them said 'Hell no!' Even government agencies said, 'Absolutely not! You're not going to name me are you?'" he said.

"Out of those victims, not a single one has come forward. You have probably government systems, banking systems, major companies compromised."

Alperovitch said that the silence from both government and private organisations demonstrated the importance for data breach notification laws.

"I think that's extremely important for the public to understand, for the policy makers to understand the extent of this problem. That was the whole reason we put out Shady RAT — to educate the population, to educate the policy makers on the extent of these breaches."

Australia has been waiting for data breach notification laws since a privacy review was conducted in 2008. Despite related privacy legislation being brought forward for examination, attorneys-general from other countries have been urging Australia to make data breach laws a priority. Meanwhile, the Australian privacy commissioner has shown support for prioritising the laws, but the Attorney-General's Department has stated that data breach notification legislation will have to wait its turn.

Topics: Security, Symantec

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Legislation will not solve this problem. The law simply can no longer even try to keep pace with technology. Even the government itself will attempt a cover-up rather than admit a data breach, chemical spill, so how can we expect a higher standard for everyone else?

    Apart from my personal finances, I don't expect particularly high standards of privacy, and neither do other people. That's why they use "handles" and "NICs" for postings such as these.
    Treknology