Symantec: Shady RAT attacks may not be from China
Security firm Symantec has said it’s unclear where the so-called Shady RAT attacks originated – and rebuffed claims it’s the biggest hack ever.
This week, rival firm McAfee said it had uncovered the “biggest ever” data theft, targeting 72 countries and organisations, including the UN and the International Olympic Committee. While the security firm didn’t pin the blame on any one country, it said it was likely state-sponsored.
Symantec said the Shady RAT (remote access tool) attack was “significant”, but argued similar attacks are taking place every day.
“Even as we speak, there are other malware groups targeting many other organisations in a similar manner in order to gain entry and pilfer secrets,” said researcher Hon Lau in a post on the Symantec blog.
Due to the variety of organisations and individuals impacted, there is no clear motive
He noted that the targets ranged from private companies to government agencies. “What’s unclear is the type of information the attackers were targeting,” he said. “Due to the variety of organisations and individuals impacted, there is no clear motive.”
“There has been some discussion of this being a government-sponsored attack,” Lau said. “However, the finger can’t be pointed at any particular government. Not only are the victims located in various places around the globe, so too are the servers involved in these attacks.”
An official Chinese newspaper denied accusations that the Chinese Government was behind the attacks. “Linking China to internet hacking attacks is irresponsible,” it said, according to a report from Reuters. “The McAfee report claims that a ‘state actor’ engaged in hacking for a large-scale internet espionage operation, but its analysis clearly does not stand up to scrutiny.”
China is frequently accused of hacking attacks, and was notably blamed for the intrusion into Gmail accounts that eventually lead to Google quitting the country.
Symantec revealed more details of the Shady RAT attack, saying information about the targets was readily available on the hackers’ command and control site, which the firm said was “a strange oversight considering this type of attack is often described as ‘advanced’ or ‘sophisticated’.”
Lau said the attack started with a social-engineering trick, sending emails with malicious Excel files attached, but labelled in such a way as to look innocuous to the recipient. When opened, it drops a Trojan on the machine.
“One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart,” Lau said.
The Trojan will contact a remote site, where commands are hidden in image or HTML files – an “interesting ploy” by the attackers to sneak the commands past firewalls.
The Trojan then sets up a connection to the attackers and opens a remote shell on the compromised machine, from where the hackers can access and steal data.